odnoklassniki · avrecko · Dec 21, 2024 · Dec 21, 2024
diff --git a/src/one/nio/net/JavaSslClientContext.java b/src/one/nio/net/JavaSslClientContext.java
@@ -64,6 +64,11 @@ public void setCiphers(String ciphers) throws SSLException {
         parameters.setCipherSuites(ciphers.split(":"));
     }
 
+    @Override
+    public void setCiphersuites(String ciphersuites) throws SSLException {
+        // Ignore
+    }
+
     @Override
     public void setCurve(String curve) throws SSLException {
         // Ignore

diff --git a/src/one/nio/net/NativeSslContext.java b/src/one/nio/net/NativeSslContext.java
@@ -199,6 +199,9 @@ public void setSessionCache(String mode, int size) throws SSLException {
     @Override
     public native void setCiphers(String ciphers) throws SSLException;
 
+    @Override
+    public native void setCiphersuites(String ciphersuites) throws SSLException;
+
     /**
      * Sets the curve used for ECDH temporary keys used during key exchange.
      * Use <code>openssl ecparam -list_curves</code> to get list of supported curves.

diff --git a/src/one/nio/net/NativeSslSocket.java b/src/one/nio/net/NativeSslSocket.java
@@ -92,7 +92,7 @@ public Object getSslOption(SslOption option) {
         return null;
     }
     @Override
-    public synchronized native void handshake() throws IOException;
+    public synchronized native void handshake(String sniHostName) throws IOException;
 
     @Override
     public synchronized native int writeRaw(long buf, int count, int flags) throws IOException;

diff --git a/src/one/nio/net/Socket.java b/src/one/nio/net/Socket.java
@@ -174,7 +174,7 @@ public int send(ByteBuffer data, int flags, String host, int port) throws IOExce
         return send(data, flags, InetAddress.getByName(host), port);
     }
 
-    public void handshake() throws IOException {
+    public void handshake(String sniHostname) throws IOException {
         // Only for SSL sockets
     }
 

diff --git a/src/one/nio/net/SslConfig.java b/src/one/nio/net/SslConfig.java
@@ -25,6 +25,7 @@
 public class SslConfig {
     // Conservative ciphersuite according to https://wiki.mozilla.org/Security/Server_Side_TLS
     static final String DEFAULT_CIPHERS = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA";
+    static final String DEFAULT_CIPHERSUITES = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
     static final String DEFAULT_CACHE_MODE = "internal";
     static final int DEFAULT_CACHE_SIZE = 262144;
     static final long DEFAULT_TIMEOUT_SEC = 300;
@@ -34,6 +35,7 @@ public class SslConfig {
     public boolean rdrand;
     public String protocols;
     public String ciphers;
+    public String ciphersuites;
     public String curve;
     public String[] certFile;
     public String[] privateKeyFile;
@@ -65,6 +67,7 @@ public static SslConfig from(Properties props) {
         SslConfig config = new SslConfig();
         config.protocols      = props.getProperty("one.nio.ssl.protocols");
         config.ciphers        = props.getProperty("one.nio.ssl.ciphers");
+        config.ciphersuites   = props.getProperty("one.nio.ssl.ciphersuites");
         config.curve          = props.getProperty("one.nio.ssl.curve");
         config.certFile       = toArray(props.getProperty("one.nio.ssl.certFile"));
         config.privateKeyFile = toArray(props.getProperty("one.nio.ssl.privateKeyFile"));

diff --git a/src/one/nio/net/SslContext.java b/src/one/nio/net/SslContext.java
@@ -84,6 +84,7 @@ public synchronized SslContext configure(SslConfig config) throws IOException {
         }
 
         setCiphers(config.ciphers != null ? config.ciphers : SslConfig.DEFAULT_CIPHERS);
+        setCiphersuites(config.ciphersuites != null ? config.ciphersuites : SslConfig.DEFAULT_CIPHERSUITES);
 
         // with null the curve will be auto-selected by openssl
         setCurve(config.curve);
@@ -307,6 +308,7 @@ void refresh() {
     public abstract void setRdrand(boolean rdrand) throws SSLException;
     public abstract void setProtocols(String protocols) throws SSLException;
     public abstract void setCiphers(String ciphers) throws SSLException;
+    public abstract void setCiphersuites(String ciphersuites) throws SSLException;
     public abstract void setCurve(String curve) throws SSLException;
     public abstract void setCertificate(String certFile) throws SSLException;
     public abstract void setPrivateKey(String privateKeyFile) throws SSLException;

diff --git a/src/one/nio/net/native/ssl.c b/src/one/nio/net/native/ssl.c
@@ -709,6 +709,20 @@ Java_one_nio_net_NativeSslContext_setCiphers(JNIEnv* env, jobject self, jstring
     }
 }
 
+JNIEXPORT void JNICALL
+Java_one_nio_net_NativeSslContext_setCiphersuites(JNIEnv* env, jobject self, jstring ciphersuites) {
+    SSL_CTX* ctx = (SSL_CTX*)(intptr_t)(*env)->GetLongField(env, self, f_ctx);
+
+    if (ciphersuites != NULL) {
+        const char* value = (*env)->GetStringUTFChars(env, ciphersuites, NULL);
+        int result = SSL_CTX_set_ciphersuites(ctx, value);
+        (*env)->ReleaseStringUTFChars(env, ciphersuites, value);
+        if (result <= 0) {
+            throw_ssl_exception(env);
+        }
+    }
+}
+
 JNIEXPORT void JNICALL
 Java_one_nio_net_NativeSslContext_setCurve(JNIEnv* env, jobject self, jstring curve) {
     SSL_CTX* ctx = (SSL_CTX*)(intptr_t)(*env)->GetLongField(env, self, f_ctx);
@@ -1095,12 +1109,31 @@ Java_one_nio_net_NativeSslSocket_sslFree(JNIEnv* env, jclass cls, jlong sslptr)
     SSL_free(ssl);
 }
 
+static void set_tlsext_host_name(JNIEnv* env, SSL* ssl, jstring hostName) {
+     if (hostName != NULL) {
+         struct in_addr ipv4;
+         struct in6_addr ipv6;
+         const char *value = (*env) -> GetStringUTFChars(env, hostName, NULL);
+         // set sni if hostname not ipv4/ipv6
+         if (inet_pton(AF_INET, value, &ipv4) != 1 && inet_pton(AF_INET6, value, &ipv6) != 1) {
+             int result = SSL_set_tlsext_host_name(ssl, value);
+             (*env)->ReleaseStringUTFChars(env, hostName, value);
+             if (result <= 0) {
+                 check_ssl_error(env, ssl, result);
+             }
+         } else {
+             (*env)->ReleaseStringUTFChars(env, hostName, value);
+         }
+     }
+}
+
 JNIEXPORT void JNICALL
-Java_one_nio_net_NativeSslSocket_handshake(JNIEnv* env, jobject self) {
+Java_one_nio_net_NativeSslSocket_handshake(JNIEnv* env, jobject self, jstring hostName) {
     SSL* ssl = (SSL*)(intptr_t) (*env)->GetLongField(env, self, f_ssl);
     if (ssl == NULL) {
         throw_socket_closed(env);
     } else {
+        set_tlsext_host_name(env, ssl, hostName);
         int result = SSL_do_handshake(ssl);
         if (result <= 0) {
             check_ssl_error(env, ssl, result);

diff --git a/src/one/nio/pool/SocketPool.java b/src/one/nio/pool/SocketPool.java
@@ -177,7 +177,7 @@ public Socket createObject() throws PoolException {
 
             if (sslContext != null) {
                 socket = socket.sslWrap(sslContext);
-                socket.handshake();
+                socket.handshake(host);
             }
 
             return socket;