sslnettytls1.0tls1.1

How to exclude weak protocols (ciphers suits) from the Netty SSLContext?


On my Netty server, I need to exclude TLS_1.0 and TLS_1.1 protocols. However, seems like Netty SslContextBuilder doesn't allow to exclude specific suits.

Current code is used to build a SSL context:

SslContextBuilder.forServer(serverCert, serverKey, serverPass)
                .sslProvider(sslProvider)
                .build();

SslContextBuilder has ciphers() method, but it's not clear how to exclude specific ciphers for the TLS_1.0 and TLS_1.1.

Is there any way to achieve that?


Solution

  • You would just specify the protocols you want to support:

    SslContextBuilder.forServer(serverCert, serverKey, serverPass)
                    .sslProvider(sslProvider).protocols(...)
    

    So only include TLSv1.2 and TLSv1.3 here.

    Another possibility would be to specify your custom CipherSuiteFilter which filters out ciphers you don't want to support.