Bumped finagle with custom SslClientConfiguration

Hakky54 · Nov 26, 2024 · 51e32e3 · 51e32e3
1 parent 6bd0a7a
commit 51e32e3
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 4 deletions.
diff --git a/client/src/main/java/nl/altindag/client/ClientConfig.java b/client/src/main/java/nl/altindag/client/ClientConfig.java
@@ -27,6 +27,12 @@
 import com.twitter.finagle.Service;
 import com.twitter.finagle.http.Request;
 import com.twitter.finagle.http.Response;
+import com.twitter.finagle.ssl.ApplicationProtocols;
+import com.twitter.finagle.ssl.CipherSuites;
+import com.twitter.finagle.ssl.KeyCredentials;
+import com.twitter.finagle.ssl.Protocols;
+import com.twitter.finagle.ssl.TrustCredentials;
+import com.twitter.finagle.ssl.client.SslClientConfiguration;
 import com.typesafe.config.ConfigFactory;
 import feign.Feign;
 import feign.googlehttpclient.GoogleHttpClient;
@@ -68,11 +74,15 @@
 import org.springframework.web.reactive.function.client.WebClient;
 import retrofit2.Retrofit;
 import retrofit2.converter.gson.GsonConverterFactory;
+import scala.Option;
+import scala.jdk.javaapi.CollectionConverters;
 
 import javax.net.ssl.SSLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.http.HttpClient;
+import java.util.List;
+import java.util.stream.Collectors;
 
 @Component
 public class ClientConfig {
@@ -248,8 +258,45 @@ public Service<Request, Response> finagle(SSLFactory sslFactory) throws URISynta
         var uri = new URI(Constants.getServerUrl());
         var client = Http.client().withNoHttp2();
         if (uri.getScheme().equals("https")) {
-            client = client.withTransport()
-                    .tls(sslFactory.getSslContext());
+
+            List<String> excludedCiphers = List.of(
+                    "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+                    "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+                    "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+                    "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+                    "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+                    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+                    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+                    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+                    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+                    "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+                    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+                    "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+                    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+                    "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+                    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+                    "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+                    "TLS_RSA_WITH_AES_256_CBC_SHA256",
+                    "TLS_RSA_WITH_AES_128_CBC_SHA256",
+                    "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
+            );
+
+            List<String> filteredCiphers = sslFactory.getCiphers()
+                    .stream()
+                    .filter(cipher -> !excludedCiphers.contains(cipher))
+                    .collect(Collectors.toList());
+
+            SslClientConfiguration sslClientConfiguration = new SslClientConfiguration(
+                    Option.empty(),
+                    Option.empty(),
+                    sslFactory.getKeyManagerFactory().map(KeyCredentials.KeyManagerFactory::new).orElseThrow(),
+                    sslFactory.getTrustManagerFactory().map(TrustCredentials.TrustManagerFactory::new).orElseThrow(),
+                    new CipherSuites.Enabled(CollectionConverters.asScala(filteredCiphers).toSeq()),
+                    new Protocols.Enabled(CollectionConverters.asScala(sslFactory.getProtocols()).toSeq()),
+                    ApplicationProtocols.fromString(""));
+
+            client = client.withTransport().tls(sslClientConfiguration);
         }
         return client.newService(uri.getHost() + ":" + uri.getPort());
     }

diff --git a/client/src/test/java/nl/altindag/client/ClientConfigShould.java b/client/src/test/java/nl/altindag/client/ClientConfigShould.java
@@ -325,7 +325,10 @@ void createFinagleClientWithSecurity() throws URISyntaxException {
 
         Service<Request, Response> service = victim.finagle(sslFactory);
 
-        verify(sslFactory, times(1)).getSslContext();
+        verify(sslFactory, times(1)).getKeyManagerFactory();
+        verify(sslFactory, times(1)).getTrustManagerFactory();
+        verify(sslFactory, times(1)).getCiphers();
+        verify(sslFactory, times(1)).getProtocols();
 
         assertThat(service.isAvailable()).isTrue();
         assertThat(service.status()).hasToString("Open");

diff --git a/pom.xml b/pom.xml
@@ -43,7 +43,7 @@
         <version.google.http.client>1.44.2</version.google.http.client>
         <version.unirest>3.14.5</version.unirest>
         <version.retrofit>2.11.0</version.retrofit>
-        <version.finagle>22.1.0</version.finagle> <!--TODO Bump me-->
+        <version.finagle>24.2.0</version.finagle>
         <version.akka-http>10.5.3</version.akka-http>
         <version.akka-stream>2.8.5</version.akka-stream>
         <version.dispatch-core>1.2.0</version.dispatch-core>