Enforce h2 TLS rules after negotiating TLS, not before

commit: a1adf7910069a1dff0d862fa71e4066776a2474f [log] [tgz]
author: Ryan Schmitt <rschmitt@apache.org> Thu Sep 26 15:39:36 2019 -0700
committer: Ryan Schmitt <rschmitt@apache.org> Fri Sep 27 13:09:40 2019 -0700
tree: c9a21036f8f9f4753d6e769e64b3f8f5b494c7a2
parent: 5d21af4849451689c585a0a1a76fb4b03c431911 [diff]
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
index 239c14c..72859c6 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/AbstractClientTlsStrategy.java

@@ -34,6 +34,7 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 
@@ -44,6 +45,7 @@
 import org.apache.hc.core5.http.ssl.TLS;
 import org.apache.hc.core5.http.ssl.TlsCiphers;
 import org.apache.hc.core5.http2.HttpVersionPolicy;
+import org.apache.hc.core5.http2.ssl.ApplicationProtocols;
 import org.apache.hc.core5.http2.ssl.H2TlsSupport;
 import org.apache.hc.core5.net.NamedEndpoint;
 import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
@@ -107,7 +109,7 @@
                 }
                 if (supportedCipherSuites != null) {
                     sslParameters.setCipherSuites(supportedCipherSuites);
-                } else if (versionPolicy != HttpVersionPolicy.FORCE_HTTP_1) {
+                } else if (versionPolicy == HttpVersionPolicy.FORCE_HTTP_2) {
                     sslParameters.setCipherSuites(TlsCiphers.excludeH2Blacklisted(sslParameters.getCipherSuites()));
                 }
 
@@ -130,7 +132,15 @@
             @Override
             public TlsDetails verify(final NamedEndpoint endpoint, final SSLEngine sslEngine) throws SSLException {
                 verifySession(host.getHostName(), sslEngine.getSession());
-                return createTlsDetails(sslEngine);
+                final TlsDetails tlsDetails = createTlsDetails(sslEngine);
+                final String negotiatedCipherSuite = sslEngine.getSession().getCipherSuite();
+                if (tlsDetails != null && ApplicationProtocols.HTTP_2.id.equals(tlsDetails.getApplicationProtocol())) {
+                    if (TlsCiphers.isH2Blacklisted(negotiatedCipherSuite)) {
+                        throw new SSLHandshakeException("Cipher suite `" + negotiatedCipherSuite
+                            + "` does not provide adequate security for HTTP/2");
+                    }
+                }
+                return tlsDetails;
             }
 
         }, handshakeTimeout);
commit	a1adf7910069a1dff0d862fa71e4066776a2474f	[log] [tgz]
author	Ryan Schmitt <rschmitt@apache.org>	Thu Sep 26 15:39:36 2019 -0700
committer	Ryan Schmitt <rschmitt@apache.org>	Fri Sep 27 13:09:40 2019 -0700
tree	c9a21036f8f9f4753d6e769e64b3f8f5b494c7a2
parent	5d21af4849451689c585a0a1a76fb4b03c431911 [diff]