https://kotlinlang.org logo
#ktor
Title
# ktor
j

John O'Reilly

06/27/2022, 1:07 PM
Is there a way when using Ktor embedded server with Netty to block use of TLS 1.0 and 1.1?
I see suggestions like following but not sure if/how that can be done when using Ktor/Netty https://stackoverflow.com/questions/65680170/how-to-exclude-weak-protocols-ciphers-suits-from-the-netty-sslcontext
I think I can get access to
connector
and extract some of the code in
NettyChannelInitializer
for example.....
(btw still have to use 1.6.x here....and running on Android fwiw)
I built ktor locally here and included following in
NettyChannelInitializer
Copy code
protocols("TLSv1.3", "TLSv1.2")
but for some reason following still working
Copy code
openssl s_client -connect <ip address>:443 -tls1
ah, it did actually work....I had initially put that
protocols
call inside the
if (alpnProvider != null)
block but that is actually null!
Copy code
sslContext = SslContextBuilder.forServer(pk, *certs).apply {
    protocols("TLSv1.3", "TLSv1.2")
    if (alpnProvider != null) {
        sslProvider(alpnProvider)
Just need to see now if there's any way to set this without custom build of ktor
@Aleksei Tirman [JB] just in case you might know if this is possible....or would it be worth creating PR to allow this to be customised?
a

Aleksei Tirman [JB]

06/29/2022, 11:03 AM
Unfortunately, I didn’t find an extension point to do it. You can file a feature request to address this problem.
j

John O'Reilly

06/29/2022, 11:09 AM
ok, have created that (https://youtrack.jetbrains.com/issue/KTOR-4587/Way-to-block-use-of-TLS-1011-when-using-KtorNetty) - let me know if any more info needed....or, as mentioned, if worth me trying to create PR to address this
I've created fork/branch off 1.6.3 (version we're currently on) that has the TLS fix. If I run
./gradlew publishToMavenLocal
and use
mavenLocal()
in project using ktor (using custom version we're using) then it works fine. However, when I try to publish to gitlab maven repo I'm running in to some issues with symbols not found for a few of the artifacts (have updated
publish.gradle
locally to point to our repo). Is there particular publication task I should run (have tried a few)? Screenshot shows example....
ktor-server-core
seems fine but having issues resolving symbols from `ktor-server-host-common`` for some reason
hmm, I've no idea what cause of issue was but I changed version number and did fresh publication and seems to be ok now.....perhaps something had gone wrong with previous publication or perhaps some caching issue.....
@Aleksei Tirman [JB] I can try and create PR for this....do you have any particular preference for where/how this should be configured?
a

Aleksei Tirman [JB]

07/14/2022, 9:38 AM
I don’t. @e5l, please advise.
e

e5l

07/14/2022, 9:55 AM
Yep, PR would be great. We actually can add it to the
2.1.0
this month if there are no breaking changes
j

John O'Reilly

07/14/2022, 12:22 PM
I would need to rebase this off master (currently based on 1.6.3) and add tests but just to check if following is reasonable approach here (seems to be one used later on with trust store config) https://github.com/ktorio/ktor/compare/main...joreilly:ktor:tls_version_block?expand=1
e

e5l

07/14/2022, 12:22 PM
Yep
j

John O'Reilly

07/15/2022, 8:20 AM
the above code is just for Netty (which is what we're using here).....assume similar code would need to be added for Jetty and Tomcat? Also looks like there
.api
file that needs to be updated?
e

e5l

07/15/2022, 8:21 AM
It's ok to update
.api
with
apiDump
gradle task
👍 1
j

John O'Reilly

07/15/2022, 8:53 AM
ok, I've updated to rebase on latest code and also added code for Tomcat and Jetty.....need to see now how best to test this (any pointers very warmly welcomed 🙂 ) https://github.com/ktorio/ktor/compare/main...joreilly:ktor:enable_protocols?expand=1
(fixed url)
e

e5l

07/15/2022, 10:24 AM
Could you open PR?
j

John O'Reilly

07/15/2022, 10:24 AM
I still haven't figured out tests yet....will I open up as is for now?
e

e5l

07/15/2022, 10:24 AM
I can run tests on CI
j

John O'Reilly

07/15/2022, 10:24 AM
ok
seeing several failures in CI tests so far for the PR but haven't been able to link them yet to my changes.....but I could be missing something
I had run
jvmTest
here locally fwiw and they had passed
e

e5l

07/15/2022, 11:05 AM
Yep, it looks like fails are not related
j

John O'Reilly

08/03/2022, 12:34 PM
Looks like builds are ok now again? However I don't seem to have ability to retry the build for that PR?
118 Views