This is an automated email from the ASF dual-hosted git repository.
chibenwa pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 71e33d997f JAMES-4193 Correct boring ssl tls 1.3 cipher suite
sanitizing that led to disabled tls 1.3 (#3029)
71e33d997f is described below
commit 71e33d997f4990bc0a415912a5b3bc83433fd10a
Author: Benoit TELLIER <[email protected]>
AuthorDate: Thu Apr 30 07:33:14 2026 +0200
JAMES-4193 Correct boring ssl tls 1.3 cipher suite sanitizing that led to
disabled tls 1.3 (#3029)
---
.../org/apache/james/protocols/lib/TCNativeEncryptionFactory.java | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git
a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java
b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java
index 87a60738e5..e14700eb56 100644
---
a/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java
+++
b/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/TCNativeEncryptionFactory.java
@@ -32,6 +32,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.IdentityCipherSuiteFilter;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
@@ -86,7 +87,10 @@ public class TCNativeEncryptionFactory implements
Encryption.Factory {
.sslProvider(SslProvider.OPENSSL);
if (conf.getEnabledCipherSuites() != null &&
conf.getEnabledCipherSuites().length > 0) {
- builder.ciphers(Arrays.asList(conf.getEnabledCipherSuites()));
+ // IdentityCipherSuiteFilter bypasses SupportedCipherSuiteFilter
which strips TLS 1.3
+ // ciphers because BoringSSL's getSupportedCipherSuites() doesn't
enumerate them.
+ // Without this, Netty calls SSL_CTX_set_ciphersuites("")
disabling TLS 1.3 entirely.
+ builder.ciphers(Arrays.asList(conf.getEnabledCipherSuites()),
IdentityCipherSuiteFilter.INSTANCE);
}
if (conf.getEnabledProtocols() != null &&
conf.getEnabledProtocols().length > 0) {
builder.protocols(conf.getEnabledProtocols());
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
