SSLSession#getCipherSuite() returns SSL_NULL_WITH_NULL_NULL with TLS 1.3

[rkapsi]

I have a FutureListener which I'm adding to SslHandler#handshakeFuture() with the purpose gathering statistics on TLS protocols and ciphers. Something like this:

void log(SslHandler handler) {
  SSLEngine sslEngine = handler.engine();
    
  Future<Channel> handshakeFuture = handler.handshakeFuture();
  handshakeFuture.addListener(new MySslLogger(sslEngine));
}

class MySslLogger implements FutureListener<Channel> {
  private final SSLEngine sslEngine;

  public HandshakeListener(SSLEngine sslEngine) {
    this.sslEngine = sslEngine;
  }

  @Override
  public void operationComplete(Future<Channel> future) throws Exception {
    SSLSession sslSession = sslEngine.getSession();
    String protocol = sslSession.getProtocol();
    String cipher = sslSession.getCipherSuite();

    System.out.println("protocol=" + protocol + ", cipher=" + cipher);
  }
}

It appears the reported cipher suite as returned by SSLSession#getCipherSuite() remains SSL_NULL_WITH_NULL_NULL in conjunction with TLS 1.3. It works fine with TLS 1.2 and the handshake itself is fine otherwise.

Expected behavior

Actual behavior

Steps to reproduce

Minimal yet complete reproducer code (or URL to code)

Netty version

4.1.31

JVM version (e.g. java -version)

Tried OpenJDK 1.8.0_192 and 11.0.1

OS version (e.g. uname -a)

[normanmaurer]

@rkapsi which netty-tcnative artifact ?

[rkapsi]

@normanmaurer ah yes, a custom static build (Linux) from 2.0.19 (this commit to be exact)

[normanmaurer]

@rkapsi against openssl or BoringSSL ?

[rkapsi]

openssl

[rkapsi]

... just gave a spin with BoringSSL (built from same commit), appears to work as expected.

[normanmaurer]

hmm interesting

[normanmaurer]

@rkapsi what exact openssl version this is ?

[rkapsi]

OpenSSL 1.1.1 11 Sep 2018

https://github.com/netty/netty-tcnative/blob/master/pom.xml#L72-L75

[rkapsi]

Here's a repro...

import java.net.InetSocketAddress;

import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;

import io.netty.bootstrap.ServerBootstrap;
import io.netty.channel.Channel;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelPipeline;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.FutureListener;

public class NullCipher {

  public static void main(String[] args) throws Exception {
    System.out.println("OpenSSL: available=" + OpenSsl.isAvailable() + ", version=" + OpenSsl.versionString());
    
    SelfSignedCertificate cert = new SelfSignedCertificate();
    
    SslContext sslContext = SslContextBuilder.forServer(cert.certificate(), cert.privateKey())
        .sslProvider(SslProvider.OPENSSL)
        .protocols("TLSv1.3", "TLSv1.2")
        .build();
    
    ChannelInitializer<Channel> handler = new ChannelInitializer<Channel>() {
      @Override
      protected void initChannel(Channel ch) throws Exception {
        SslHandler handler = sslContext.newHandler(ch.alloc());
        
        Future<Channel> handshakeFuture = handler.handshakeFuture();
        handshakeFuture.addListener(new FutureListener<Channel>() {
          @Override
          public void operationComplete(Future<Channel> future) throws Exception {
            if (!future.isSuccess()) {
              throw new IllegalStateException(future.cause());
            }
            
            Channel channel = future.getNow();
            
            SSLEngine engine = handler.engine();
            SSLSession session = engine.getSession();
            
            System.out.println("channel=" + channel 
                + ", protocol=" + session.getProtocol() 
                + ", cipher=" + session.getCipherSuite());
            
            channel.close();
          }
        });
        
        ChannelPipeline pipeline = ch.pipeline();
        pipeline.addLast(handler);
      }
    };
    
    ServerBootstrap bootstrap = new ServerBootstrap()
        .channel(NioServerSocketChannel.class)
        .group(new NioEventLoopGroup())
        .childHandler(handler);
    
    Channel server = bootstrap.bind(0)
        .sync().channel();
    
    int port = ((InetSocketAddress)server.localAddress()).getPort();
    
    System.out.println("Try..." 
        + "\n openssl s_client -connect localhost:" + port + " --tls1_3"
        + "\n openssl s_client -connect localhost:" + port + " --tls1_2");
  }
}

OpenSSL: available=true, version=OpenSSL 1.1.1  11 Sep 2018
Try...
 openssl s_client -connect localhost:33267 --tls1_3
 openssl s_client -connect localhost:33267 --tls1_2
channel=[id: 0x6a8d1105, L:/0:0:0:0:0:0:0:1:33267 - R:/0:0:0:0:0:0:0:1:15134], protocol=TLSv1.3, cipher=SSL_NULL_WITH_NULL_NULL
channel=[id: 0xb94fab15, L:/0:0:0:0:0:0:0:1:33267 - R:/0:0:0:0:0:0:0:1:15306], protocol=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

[normanmaurer]

Will check

…

Am 08.11.2018 um 16:39 schrieb Roger ***@***.***>: Here's a repro... import java.net.InetSocketAddress; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSession; import io.netty.bootstrap.ServerBootstrap; import io.netty.channel.Channel; import io.netty.channel.ChannelInitializer; import io.netty.channel.ChannelPipeline; import io.netty.channel.nio.NioEventLoopGroup; import io.netty.channel.socket.nio.NioServerSocketChannel; import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslHandler; import io.netty.handler.ssl.SslProvider; import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.util.concurrent.Future; import io.netty.util.concurrent.FutureListener; public class NullCipher { public static void main(String[] args) throws Exception { System.out.println("OpenSSL: available=" + OpenSsl.isAvailable() + ", version=" + OpenSsl.versionString()); SelfSignedCertificate cert = new SelfSignedCertificate(); SslContext sslContext = SslContextBuilder.forServer(cert.certificate(), cert.privateKey()) .sslProvider(SslProvider.OPENSSL) .protocols("TLSv1.3", "TLSv1.2") .build(); ChannelInitializer<Channel> handler = new ChannelInitializer<Channel>() { @OverRide protected void initChannel(Channel ch) throws Exception { SslHandler handler = sslContext.newHandler(ch.alloc()); Future<Channel> handshakeFuture = handler.handshakeFuture(); handshakeFuture.addListener(new FutureListener<Channel>() { @OverRide public void operationComplete(Future<Channel> future) throws Exception { if (!future.isSuccess()) { throw new IllegalStateException(future.cause()); } Channel channel = future.getNow(); SSLEngine engine = handler.engine(); SSLSession session = engine.getSession(); System.out.println("channel=" + channel + ", protocol=" + session.getProtocol() + ", cipher=" + session.getCipherSuite()); channel.close(); } }); ChannelPipeline pipeline = ch.pipeline(); pipeline.addLast(handler); } }; ServerBootstrap bootstrap = new ServerBootstrap() .channel(NioServerSocketChannel.class) .group(new NioEventLoopGroup()) .childHandler(handler); Channel server = bootstrap.bind(0) .sync().channel(); int port = ((InetSocketAddress)server.localAddress()).getPort(); System.out.println("Try..." + "\n openssl s_client -connect localhost:" + port + " --tls1_3" + "\n openssl s_client -connect localhost:" + port + " --tls1_2"); } } OpenSSL: available=true, version=OpenSSL 1.1.1 11 Sep 2018 Try... openssl s_client -connect localhost:33267 --tls1_3 openssl s_client -connect localhost:33267 --tls1_2 channel=[id: 0x6a8d1105, L:/0:0:0:0:0:0:0:1:33267 - R:/0:0:0:0:0:0:0:1:15134], protocol=TLSv1.3, cipher=SSL_NULL_WITH_NULL_NULL channel=[id: 0xb94fab15, L:/0:0:0:0:0:0:0:1:33267 - R:/0:0:0:0:0:0:0:1:15306], protocol=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[normanmaurer]

@rkapsi ok I found the problem... let me work on a fix.