Correctly select the cipher suites based on the HTTP protocol and use SystemPropertyTlsKeyManagersProvider if no KeyManger is provided.

Author: zoewangg

.changes/next-release/bugfix-NettyNIOHTTPClient-dd43cf4.json

@@ -0,0 +1,6 @@
+{
+    "category": "Netty NIO HTTP Client", 
+    "contributor": "", 
+    "type": "bugfix", 
+    "description": "Use `SystemPropretyTlsKeyManagersProvider` if no `KeyManger` is provided."
+}

.changes/next-release/feature-NettyNIOHTTPClient-e7d2844.json

@@ -0,0 +1,6 @@
+{
+    "category": "Netty NIO HTTP Client", 
+    "contributor": "", 
+    "type": "bugfix",
+    "description": "Correctly select the cipher suites based on the HTTP protocol. See [#2159](https://github.com/aws/aws-sdk-java-v2/issues/2159)"
+}

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/AwaitCloseChannelPoolMap.java

@@ -21,17 +21,12 @@
 import io.netty.channel.Channel;
 import io.netty.channel.pool.ChannelPool;
 import io.netty.channel.pool.ChannelPoolHandler;
-import io.netty.handler.codec.http2.Http2SecurityUtil;
 import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslProvider;
-import io.netty.handler.ssl.SupportedCipherSuiteFilter;
-import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.Duration;
 import java.util.Collection;
-import java.util.List;
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ConcurrentHashMap;
@@ -40,18 +35,13 @@
 import java.util.concurrent.TimeoutException;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Function;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.TrustManagerFactory;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.annotations.SdkTestInternalApi;
 import software.amazon.awssdk.http.Protocol;
 import software.amazon.awssdk.http.nio.netty.ProxyConfiguration;
 import software.amazon.awssdk.http.nio.netty.SdkEventLoopGroup;
 import software.amazon.awssdk.http.nio.netty.internal.http2.HttpOrHttp2ChannelPool;
 import software.amazon.awssdk.utils.Logger;
-import software.amazon.awssdk.utils.Validate;
 
 /**
  * Implementation of {@link SdkChannelPoolMap} that awaits channel pools to be closed upon closing.
@@ -126,10 +116,7 @@ public static Builder builder() {
 
     @Override
     protected SimpleChannelPoolAwareChannelPool newPool(URI key) {
-        SslContext sslContext = null;
-        if (needSslContext(key)) {
-            sslContext = sslContextProvider.sslContext();
-        }
+        SslContext sslContext = needSslContext(key) ? sslContextProvider.sslContext() : null;
 
         Bootstrap bootstrap = createBootstrap(key);
 

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/SslContextProvider.java

@@ -21,12 +21,15 @@
 import io.netty.handler.ssl.SslProvider;
 import io.netty.handler.ssl.SupportedCipherSuiteFilter;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import java.util.List;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManagerFactory;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.http.Protocol;
+import software.amazon.awssdk.http.SystemPropertyTlsKeyManagersProvider;
+import software.amazon.awssdk.http.TlsTrustManagersProvider;
 import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.Validate;
 
@@ -49,7 +52,7 @@ public SslContext sslContext() {
         try {
             return SslContextBuilder.forClient()
                                     .sslProvider(sslProvider)
-                                    .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
+                                    .ciphers(getCiphers(), SupportedCipherSuiteFilter.INSTANCE)
                                     .trustManager(trustManagerFactory)
                                     .keyManager(keyManagerFactory)
                                     .build();
@@ -58,12 +61,25 @@ public SslContext sslContext() {
         }
     }
 
+    /**
+     * HTTP/2: per Rfc7540, there is a blocked list of cipher suites for HTTP/2, so setting
+     * the recommended cipher suites directly here
+     *
+     * HTTP/1.1: return null so that the default ciphers suites will be used
+     * https://github.com/netty/netty/blob/0dc246eb129796313b58c1dbdd674aa289f72cad/handler/src/main/java/io/netty/handler/ssl
+     * /SslUtils.java
+     */
+    private List<String> getCiphers() {
+        return protocol.equals(Protocol.HTTP2) ? Http2SecurityUtil.CIPHERS : null;
+    }
+
     private TrustManagerFactory getTrustManager(NettyConfiguration configuration) {
-        Validate.isTrue(configuration.tlsTrustManagersProvider() == null || !configuration.trustAllCertificates(),
+        TlsTrustManagersProvider tlsTrustManagersProvider = configuration.tlsTrustManagersProvider();
+        Validate.isTrue(tlsTrustManagersProvider == null || !configuration.trustAllCertificates(),
                         "A TlsTrustManagerProvider can't be provided if TrustAllCertificates is also set");
 
-        if (configuration.tlsTrustManagersProvider() != null) {
-            return StaticTrustManagerFactory.create(configuration.tlsTrustManagersProvider().trustManagers());
+        if (tlsTrustManagersProvider != null) {
+            return StaticTrustManagerFactory.create(tlsTrustManagersProvider.trustManagers());
         }
 
         if (configuration.trustAllCertificates()) {
@@ -72,6 +88,7 @@ private TrustManagerFactory getTrustManager(NettyConfiguration configuration) {
             return InsecureTrustManagerFactory.INSTANCE;
         }
 
+        // return null so that the system default trust manager will be used
         return null;
     }
 
@@ -82,6 +99,8 @@ private KeyManagerFactory getKeyManager(NettyConfiguration configuration) {
                 return StaticKeyManagerFactory.create(keyManagers);
             }
         }
-        return null;
+
+        KeyManager[] systemPropertyKeyManagers = SystemPropertyTlsKeyManagersProvider.create().keyManagers();
+        return systemPropertyKeyManagers == null ? null : StaticKeyManagerFactory.create(systemPropertyKeyManagers);
     }
 }

http-clients/netty-nio-client/src/test/java/software/amazon/awssdk/http/nio/netty/internal/AwaitCloseChannelPoolMapTest.java

@@ -224,10 +224,11 @@ public void usesProvidedKeyManagersProvider() {
                 .build();
 
         channelPoolMap = AwaitCloseChannelPoolMap.builder()
-                .sdkChannelOptions(new SdkChannelOptions())
-                .sdkEventLoopGroup(SdkEventLoopGroup.builder().build())
-                .configuration(new NettyConfiguration(config.merge(GLOBAL_HTTP_DEFAULTS)))
-                .build();
+                                                 .sdkChannelOptions(new SdkChannelOptions())
+                                                 .sdkEventLoopGroup(SdkEventLoopGroup.builder().build())
+                                                 .protocol(Protocol.HTTP1_1)
+                                                 .configuration(new NettyConfiguration(config.merge(GLOBAL_HTTP_DEFAULTS)))
+                                                 .build();
 
         ChannelPool channelPool = channelPoolMap.newPool(URI.create("https://localhost:" + mockProxy.port()));
         channelPool.acquire().awaitUninterruptibly();

http-clients/netty-nio-client/src/test/java/software/amazon/awssdk/http/nio/netty/internal/SslContextProviderTest.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.nio.netty.internal;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static software.amazon.awssdk.http.SdkHttpConfigurationOption.TLS_KEY_MANAGERS_PROVIDER;
+import static software.amazon.awssdk.http.SdkHttpConfigurationOption.TLS_TRUST_MANAGERS_PROVIDER;
+import static software.amazon.awssdk.http.SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES;
+
+import io.netty.handler.codec.http2.Http2SecurityUtil;
+import io.netty.handler.ssl.SslProvider;
+import javax.net.ssl.TrustManager;
+import org.junit.Test;
+import org.mockito.Mockito;
+import software.amazon.awssdk.http.Protocol;
+import software.amazon.awssdk.http.SdkHttpConfigurationOption;
+import software.amazon.awssdk.http.TlsKeyManagersProvider;
+import software.amazon.awssdk.http.TlsTrustManagersProvider;
+import software.amazon.awssdk.utils.AttributeMap;
+
+public class SslContextProviderTest {
+
+    @Test
+    public void sslContext_h2WithJdk_h2CiphersShouldBeUsed() {
+        SslContextProvider sslContextProvider = new SslContextProvider(new NettyConfiguration(SdkHttpConfigurationOption.GLOBAL_HTTP_DEFAULTS),
+                                                                       Protocol.HTTP2,
+                                                                       SslProvider.JDK);
+
+        assertThat(sslContextProvider.sslContext().cipherSuites()).isSubsetOf(Http2SecurityUtil.CIPHERS);
+    }
+
+    @Test
+    public void sslContext_h2WithOpenSsl_h2CiphersShouldBeUsed() {
+        SslContextProvider sslContextProvider = new SslContextProvider(new NettyConfiguration(SdkHttpConfigurationOption.GLOBAL_HTTP_DEFAULTS),
+                                                                       Protocol.HTTP2,
+                                                                       SslProvider.OPENSSL);
+
+        assertThat(sslContextProvider.sslContext().cipherSuites()).isSubsetOf(Http2SecurityUtil.CIPHERS);
+    }
+
+    @Test
+    public void sslContext_h1_defaultCipherShouldBeUsed() {
+        SslContextProvider sslContextProvider = new SslContextProvider(new NettyConfiguration(SdkHttpConfigurationOption.GLOBAL_HTTP_DEFAULTS),
+                                                                       Protocol.HTTP1_1,
+                                                                       SslProvider.JDK);
+
+        assertThat(sslContextProvider.sslContext().cipherSuites()).isNotIn(Http2SecurityUtil.CIPHERS);
+    }
+
+    @Test
+    public void customizedKeyManagerPresent_shouldUseCustomized() {
+        TlsKeyManagersProvider mockProvider = Mockito.mock(TlsKeyManagersProvider.class);
+        SslContextProvider sslContextProvider = new SslContextProvider(new NettyConfiguration(AttributeMap.builder()
+                                                                                                          .put(TRUST_ALL_CERTIFICATES, false)
+                                                                                                          .put(TLS_KEY_MANAGERS_PROVIDER, mockProvider)
+                                                                                                          .build()),
+                                                                       Protocol.HTTP1_1,
+                                                                       SslProvider.JDK);
+
+        sslContextProvider.sslContext();
+        Mockito.verify(mockProvider).keyManagers();
+    }
+
+    @Test
+    public void customizedTrustManagerPresent_shouldUseCustomized() {
+        TlsTrustManagersProvider mockProvider = Mockito.mock(TlsTrustManagersProvider.class);
+        TrustManager mockTrustManager = Mockito.mock(TrustManager.class);
+        Mockito.when(mockProvider.trustManagers()).thenReturn(new TrustManager[] {mockTrustManager});
+        SslContextProvider sslContextProvider = new SslContextProvider(new NettyConfiguration(AttributeMap.builder()
+                                                                                                          .put(TRUST_ALL_CERTIFICATES, false)
+                                                                                                          .put(TLS_TRUST_MANAGERS_PROVIDER, mockProvider)
+                                                                                                          .build()),
+                                                                       Protocol.HTTP1_1,
+                                                                       SslProvider.JDK);
+
+        sslContextProvider.sslContext();
+        Mockito.verify(mockProvider).trustManagers();
+    }
+
+    @Test
+    public void TlsTrustManagerAndTrustAllCertificates_shouldThrowException() {
+        TlsTrustManagersProvider mockProvider = Mockito.mock(TlsTrustManagersProvider.class);
+        assertThatThrownBy(() -> new SslContextProvider(new NettyConfiguration(AttributeMap.builder()
+                                                                                           .put(TRUST_ALL_CERTIFICATES, true)
+                                                                                           .put(TLS_TRUST_MANAGERS_PROVIDER,
+                                                                                                mockProvider)
+                                                                                           .build()),
+                                                        Protocol.HTTP1_1,
+                                                        SslProvider.JDK)).isInstanceOf(IllegalArgumentException.class)
+                                                                         .hasMessageContaining("A TlsTrustManagerProvider can't"
+                                                                                               + " be provided if "
+                                                                                               + "TrustAllCertificates is also "
+                                                                                               + "set");
+
+    }
+}