diff options
author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-03-24 18:20:24 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-24 18:20:24 +0100 |
commit | e3c32a319b14b8ad75ab64e53da933135313c077 (patch) | |
tree | 66d8bd1ee771c30a793b749937c10d08ffaa2162 | |
parent | 046551ba50d78bfdff9457c6472b2466232d76ac (diff) | |
parent | ba83679fca94b1bde144eb5796cd51662f99a971 (diff) |
Merge pull request #26578 from vespa-engine/bjorncs/tlsv13
Enable TLSv1.3 for Vespa mTLS
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java | 17 | ||||
-rw-r--r-- | zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java | 10 |
2 files changed, 11 insertions, 16 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 8e146f36907..9d72030c624 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -7,8 +7,6 @@ import javax.net.ssl.SSLParameters; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.util.Arrays; -import java.util.Collections; -import java.util.HashSet; import java.util.Set; import static java.util.stream.Collectors.toSet; @@ -26,21 +24,20 @@ public interface TlsContext extends AutoCloseable { * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM. * For TLSv1.3 we allow the DEFAULT group ciphers. * Note that we _only_ allow AEAD ciphers for either TLS version. - * - * TODO(bjorncs) Add new ciphers once migrated to JDK-17 (also available in 11.0.13): - * - TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */ - Set<String> ALLOWED_CIPHER_SUITES = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( + Set<String> ALLOWED_CIPHER_SUITES = Set.of( "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256", // TLSv1.3 - "TLS_AES_256_GCM_SHA384" // TLSv1.3 - ))); + "TLS_AES_256_GCM_SHA384", // TLSv1.3 + "TLS_CHACHA20_POLY1305_SHA256", // TLSv1.3 + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + ); - // TODO Enable TLSv1.3 after upgrading to JDK 17 - Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2"); + Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3"); /** * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS} diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java index 5d0031d5b55..36f9f95f2dc 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java @@ -187,17 +187,15 @@ public class ConfiguratorTest { private String tlsQuorumConfig() { return "ssl.quorum.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" + - "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + - "ssl.quorum.enabledProtocols=TLSv1.2\n" + + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + + "ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3\n" + "ssl.quorum.clientAuth=NEED\n"; } private String tlsClientServerConfig() { return "ssl.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" + - "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + - "ssl.enabledProtocols=TLSv1.2\n" + + "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + + "ssl.enabledProtocols=TLSv1.2,TLSv1.3\n" + "ssl.clientAuth=NEED\n"; } |