support for custom TLS protocols such as TLSv1.2,TLSv1.3

Author: jamesdbloom

changelog.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- support for custom TLS protocols such as TLSv1.2,TLSv1.3
 
 ### Changed
 - removed implicit reliance on internal java-certificate-classes (thanks to @Arkinator)

mockserver-core/src/main/java/org/mockserver/configuration/Configuration.java

@@ -123,6 +123,7 @@ public static Configuration configuration() {
  private Boolean proactivelyInitialiseTLS;
  private boolean rebuildTLSContext;
  private boolean rebuildServerTLSContext;
+ private String tlsProtocols;
 
  // inbound - dynamic CA
  private Boolean dynamicallyCreateCertificateAuthorityCertificate;
@@ -1481,6 +1482,23 @@ public Configuration rebuildServerTLSContext(boolean rebuildServerTLSContext) {
  return this;
  }
 
+ public String tlsProtocols() {
+ if (tlsProtocols == null) {
+ return ConfigurationProperties.tlsProtocols();
+ }
+ return tlsProtocols;
+ }
+
+ /**
+ * Comma seperated list of TLS protocols, by default TLSv1,TLSv1.1,TLSv1.2
+ *
+ * @param tlsProtocols comma seperated list of TLS protocols
+ */
+ public Configuration tlsProtocols(String tlsProtocols) {
+ this.tlsProtocols = tlsProtocols;
+ return this;
+ }
+
  public Boolean dynamicallyCreateCertificateAuthorityCertificate() {
  if (dynamicallyCreateCertificateAuthorityCertificate == null) {
  return ConfigurationProperties.dynamicallyCreateCertificateAuthorityCertificate();

mockserver-core/src/main/java/org/mockserver/configuration/ConfigurationProperties.java

@@ -137,6 +137,7 @@ public class ConfigurationProperties {
 
  // TLS
  private static final String MOCKSERVER_PROACTIVELY_INITIALISE_TLS = "mockserver.proactivelyInitialiseTLS";
+ private static final String MOCKSERVER_TLS_PROTOCOLS = "mockserver.tlsProtocols";
 
  // inbound - dynamic CA
  private static final String MOCKSERVER_DYNAMICALLY_CREATE_CERTIFICATE_AUTHORITY_CERTIFICATE = "mockserver.dynamicallyCreateCertificateAuthorityCertificate";
@@ -1373,6 +1374,19 @@ public static boolean proactivelyInitialiseTLS() {
  return Boolean.parseBoolean(readPropertyHierarchically(PROPERTIES, MOCKSERVER_PROACTIVELY_INITIALISE_TLS, "MOCKSERVER_PROACTIVELY_INITIALISE_TLS", "false"));
  }
 
+ public static String tlsProtocols() {
+ return readPropertyHierarchically(PROPERTIES, MOCKSERVER_TLS_PROTOCOLS, "MOCKSERVER_TLS_PROTOCOLS", "TLSv1,TLSv1.1,TLSv1.2");
+ }
+
+ /**
+ * Comma seperated list of TLS protocols, by default TLSv1,TLSv1.1,TLSv1.2
+ *
+ * @param tlsProtocols comma seperated list of TLS protocols
+ */
+ public static void tlsProtocols(String tlsProtocols) {
+ setProperty(MOCKSERVER_TLS_PROTOCOLS, tlsProtocols);
+ }
+
  public static boolean dynamicallyCreateCertificateAuthorityCertificate() {
  return Boolean.parseBoolean(readPropertyHierarchically(PROPERTIES, MOCKSERVER_DYNAMICALLY_CREATE_CERTIFICATE_AUTHORITY_CERTIFICATE, "MOCKSERVER_DYNAMICALLY_CREATE_CERTIFICATE_AUTHORITY_CERTIFICATE", "false"));
  }

mockserver-core/src/main/java/org/mockserver/socket/tls/NettySslContextFactory.java

@@ -1,6 +1,5 @@
 package org.mockserver.socket.tls;
 
-import com.google.common.base.Joiner;
 import io.netty.handler.codec.http2.Http2SecurityUtil;
 import io.netty.handler.ssl.*;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
@@ -34,7 +33,6 @@
  */
 public class NettySslContextFactory {
 
- private static final String[] TLS_PROTOCOLS = "TLSv1,TLSv1.1,TLSv1.2".split(",");
  public static Function<SslContextBuilder, SslContext> clientSslContextBuilderFunction =
  sslContextBuilder -> {
  try {
@@ -65,7 +63,7 @@ public NettySslContextFactory(MockServerLogger mockServerLogger) {
  this.mockServerLogger = mockServerLogger;
  this.forServer = true;
  keyAndCertificateFactory = createKeyAndCertificateFactory(configuration, mockServerLogger);
- System.setProperty("https.protocols", Joiner.on(",").join(TLS_PROTOCOLS));
+ System.setProperty("https.protocols", configuration.tlsProtocols());
  nettySslContextFactoryCustomizer.accept(this);
  if (configuration.proactivelyInitialiseTLS()) {
  createServerSslContext();
@@ -77,7 +75,7 @@ public NettySslContextFactory(Configuration configuration, MockServerLogger mock
  this.mockServerLogger = mockServerLogger;
  this.forServer = forServer;
  keyAndCertificateFactory = createKeyAndCertificateFactory(configuration, mockServerLogger, forServer);
- System.setProperty("https.protocols", Joiner.on(",").join(TLS_PROTOCOLS));
+ System.setProperty("https.protocols", configuration.tlsProtocols());
  nettySslContextFactoryCustomizer.accept(this);
  if (configuration.proactivelyInitialiseTLS()) {
  createServerSslContext();
@@ -101,7 +99,7 @@ public synchronized SslContext createClientSslContext(boolean forwardProxyClient
  SslContextBuilder sslContextBuilder =
  SslContextBuilder
  .forClient()
- .protocols(TLS_PROTOCOLS)
+ .protocols(configuration.tlsProtocols().split(","))
  .keyManager(
  forwardProxyPrivateKey(),
  forwardProxyCertificateChain()
@@ -205,7 +203,7 @@ public synchronized SslContext createServerSslContext() {
  keyAndCertificateFactory.privateKey(),
  keyAndCertificateFactory.certificateChain()
  )
- .protocols(TLS_PROTOCOLS)
+ .protocols(configuration.tlsProtocols().split(","))
  .clientAuth(configuration.tlsMutualAuthenticationRequired() ? ClientAuth.REQUIRE : ClientAuth.OPTIONAL);
  configureALPN(sslContextBuilder);
  if (isNotBlank(configuration.tlsMutualAuthenticationCertificateChain()) || configuration.tlsMutualAuthenticationRequired()) {

mockserver-core/src/test/java/org/mockserver/configuration/ConfigurationTest.java

@@ -1735,6 +1735,32 @@ public void shouldSetAndGetRebuildServerTLSContext() {
  assertThat(configuration.rebuildServerTLSContext(), equalTo(true));
  }
 
+ @Test
+ public void shouldSetAndGetTlsProtocols() {
+ String original = ConfigurationProperties.tlsProtocols();
+ try {
+ // then - default value
+ assertThat(configuration.tlsProtocols(), equalTo("TLSv1,TLSv1.1,TLSv1.2"));
+
+ // when - system property setter
+ String firstPath = tempFilePath();
+ ConfigurationProperties.tlsProtocols(firstPath);
+
+ // then - system property getter
+ assertThat(ConfigurationProperties.tlsProtocols(), equalTo(firstPath));
+ assertThat(System.getProperty("mockserver.tlsProtocols"), equalTo(firstPath));
+ assertThat(configuration.tlsProtocols(), equalTo(firstPath));
+
+ // when - setter
+ configuration.tlsProtocols("TLSv1.2,TLSv1.3");
+
+ // then - getter
+ assertThat(configuration.tlsProtocols(), equalTo("TLSv1.2,TLSv1.3"));
+ } finally {
+ ConfigurationProperties.tlsProtocols(original);
+ }
+ }
+
  @Test
  public void shouldSetAndGetDynamicallyCreateCertificateAuthorityCertificate() {
  boolean original = ConfigurationProperties.dynamicallyCreateCertificateAuthorityCertificate();

mockserver-netty/src/test/java/org/mockserver/netty/integration/tls/inbound/CustomTLSProtocolsMockingIntegrationTest.java

@@ -0,0 +1,42 @@
+package org.mockserver.netty.integration.tls.inbound;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.mockserver.integration.ClientAndServer;
+import org.mockserver.testing.integration.mock.AbstractBasicMockingSameJVMIntegrationTest;
+
+import static org.mockserver.configuration.ConfigurationProperties.tlsProtocols;
+import static org.mockserver.stop.Stop.stopQuietly;
+
+/**
+ * @author jamesdbloom
+ */
+public class CustomTLSProtocolsMockingIntegrationTest extends AbstractBasicMockingSameJVMIntegrationTest {
+
+ private static String originalTlsProtocols;
+
+ @BeforeClass
+ public static void startServer() {
+ // save original value
+ originalTlsProtocols = tlsProtocols();
+
+ // set new certificate authority values
+ tlsProtocols("TLSv1.2,TLSv1.3");
+
+ mockServerClient = ClientAndServer.startClientAndServer().withSecure(true);
+ }
+
+ @AfterClass
+ public static void stopServer() {
+ stopQuietly(mockServerClient);
+
+ // set back to original value
+ tlsProtocols(originalTlsProtocols);
+ }
+
+ @Override
+ public int getServerPort() {
+ return mockServerClient.getPort();
+ }
+
+}