How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

Question

On my Netty server, I need to exclude TLS_1.0 and TLS_1.1 protocols. However, seems like Netty SslContextBuilder doesn't allow to exclude specific suits.

Current code is used to build a SSL context:

SslContextBuilder.forServer(serverCert, serverKey, serverPass)
                .sslProvider(sslProvider)
                .build();

SslContextBuilder has ciphers() method, but it's not clear how to exclude specific ciphers for the TLS_1.0 and TLS_1.1.

Is there any way to achieve that?

Norman Maurer · Accepted Answer · 2021-01-12T09:13:30.543

1

You would just specify the protocols you want to support:

SslContextBuilder.forServer(serverCert, serverKey, serverPass)
                .sslProvider(sslProvider).protocols(...)

So only include TLSv1.2 and TLSv1.3 here.

Another possibility would be to specify your custom CipherSuiteFilter which filters out ciphers you don't want to support.

edited Jan 12 '21 at 09:13

answered Jan 12 '21 at 09:06

Norman Maurer

23,104
2
33
31

How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

1 Answers1

Linked