summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2021-02-24 12:24:48 +0100
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2021-02-24 12:24:48 +0100
commitb61cb93e0ecd770fa07c1b67269d81e17bcfd11a (patch)
tree162b2e3d09df9201196328e4d3ac611c96d7bb43
parentc362232aa418ed66c48a3d925544affde310dd7a (diff)
Disable TLSV1.3
Diffstat
-rw-r--r--jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java3
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java3
-rw-r--r--zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java4
3 files changed, 6 insertions, 4 deletions
diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java
index b0dfd228c8b..132e96eb4fd 100644
--- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java
+++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java
@@ -33,6 +33,7 @@ import com.yahoo.security.Pkcs10CsrBuilder;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509CertificateBuilder;
import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.security.tls.TlsContext;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.mime.FormBodyPart;
@@ -853,7 +854,7 @@ public class HttpServerTest {
Assertions.assertThat(logEntry.localPort()).hasValue(listenPort);
Assertions.assertThat(logEntry.httpBytesReceived()).hasValueSatisfying(value -> Assertions.assertThat(value).isPositive());
Assertions.assertThat(logEntry.httpBytesSent()).hasValueSatisfying(value -> Assertions.assertThat(value).isPositive());
- Assertions.assertThat(logEntry.sslProtocol()).hasValue("TLSv1.3");
+ Assertions.assertThat(logEntry.sslProtocol()).hasValueSatisfying(TlsContext.ALLOWED_PROTOCOLS::contains);
Assertions.assertThat(logEntry.sslPeerSubject()).hasValue("CN=localhost");
Assertions.assertThat(logEntry.sslCipherSuite()).hasValueSatisfying(cipher -> Assertions.assertThat(cipher).isNotBlank());
Assertions.assertThat(logEntry.sslSessionId()).hasValueSatisfying(sessionId -> Assertions.assertThat(sessionId).hasSize(64));
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index a54a3556685..eef05d4f4f2 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -34,7 +34,8 @@ public interface TlsContext extends AutoCloseable {
"TLS_AES_256_GCM_SHA384", // TLSv1.3
"TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3, Java 12
- Set<String> ALLOWED_PROTOCOLS = com.yahoo.vespa.jdk8compat.Set.of("TLSv1.2", "TLSv1.3");
+ // TODO Enable TLSv1.3 after upgrading to JDK 17
+ Set<String> ALLOWED_PROTOCOLS = com.yahoo.vespa.jdk8compat.Set.of("TLSv1.2");
String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions
/**
diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
index 2b03e874d86..0f43fb45d9d 100644
--- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
+++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
@@ -219,7 +219,7 @@ public class ConfiguratorTest {
return "ssl.quorum.hostnameVerification=false\n" +
"ssl.quorum.clientAuth=NEED\n" +
"ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" +
- "ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3\n" +
+ "ssl.quorum.enabledProtocols=TLSv1.2\n" +
"ssl.quorum.protocol=TLS\n";
}
@@ -227,7 +227,7 @@ public class ConfiguratorTest {
return "ssl.hostnameVerification=false\n" +
"ssl.clientAuth=NEED\n" +
"ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" +
- "ssl.enabledProtocols=TLSv1.2,TLSv1.3\n" +
+ "ssl.enabledProtocols=TLSv1.2\n" +
"ssl.protocol=TLS\n";
}