Merge pull request #10877 from vespa-engine/bjorncs/jdisc-tls13

Bjorncs/jdisc tls13
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-10-04 12:49:34 +0200
committer: GitHub <noreply@github.com> 2019-10-04 12:49:34 +0200
commit: 6b596df9ad062cb86396035ffd5aa5b5cc967249 (patch)
tree: faf937509c537f118470efc8c96a155bcf8f805f
parent: 1c0f26aa1793c2fcfee88bc95220e3cd63db2b8c (diff)
parent: 00c635b01a9ff113cdeb94dd821e96521b41c655 (diff)
5 files changed, 4 insertions, 7 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index 6bc70ca12f0..afed3efb9f1 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -21,7 +21,6 @@ import java.util.Optional;
 import java.util.logging.Logger;
 
 import static java.util.stream.Collectors.toList;
-import static javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import static javax.net.ssl.SSLEngineResult.Status;
 
 /**
@@ -247,7 +246,6 @@ public class TlsCryptoSocket implements CryptoSocket {
 
     private int applicationDataWrap(ByteBuffer src) throws IOException {
         SSLEngineResult result = sslEngineWrap(src);
-        if (result.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) throw new SSLException("Renegotiation detected");
         switch (result.getStatus()) {
             case OK:
                 return result.bytesConsumed();
@@ -279,7 +277,6 @@ public class TlsCryptoSocket implements CryptoSocket {
 
     private int applicationDataUnwrap(ByteBuffer dst) throws IOException {
         SSLEngineResult result = sslEngineUnwrap(dst);
-        if (result.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) throw new SSLException("Renegotiation detected");
         switch (result.getStatus()) {
             case OK:
                 return result.bytesProduced();
diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
index 4f8919cdd5e..08ebba1670d 100644
--- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
@@ -122,7 +122,7 @@ public class SslContextBuilder {
 
     public SSLContext build() {
         try {
-            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            SSLContext sslContext = SSLContext.getInstance("TLS");
             TrustManager[] trustManagers = new TrustManager[] { trustManagerFactory.createTrustManager(trustStoreSupplier.get()) };
             X509ExtendedKeyManager keyManager = this.keyManager != null
                     ? this.keyManager
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index ea26be0ef4f..e878ac33467 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -24,7 +24,7 @@ public interface TlsContext extends AutoCloseable {
             "TLS_AES_256_GCM_SHA384", // TLSv1.3
             "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3
 
-    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3
+    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3");
 
     SSLContext context();
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
index 4e6f0a141b0..a62f13c731e 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
@@ -63,7 +63,7 @@ public class ConfigFileBasedTlsContextTest {
             assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
 
             String[] enabledProtocols = sslEngine.getEnabledProtocols();
-            assertThat(enabledProtocols).contains("TLSv1.2");
+            assertThat(enabledProtocols).containsOnly(TlsContext.ALLOWED_PROTOCOLS.toArray(new String[0]));
         }
     }
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index 727a64ae934..3a2eabd78b5 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -55,7 +55,7 @@ public class DefaultTlsContextTest {
         assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
 
         String[] enabledProtocols = sslEngine.getEnabledProtocols();
-        assertThat(enabledProtocols).contains("TLSv1.2");
+        assertThat(enabledProtocols).containsOnly(TlsContext.ALLOWED_PROTOCOLS.toArray(new String[0]));
     }
 
 }
 \ No newline at end of file
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-10-04 12:49:34 +0200
committer	GitHub <noreply@github.com>	2019-10-04 12:49:34 +0200
commit	6b596df9ad062cb86396035ffd5aa5b5cc967249 (patch)
tree	faf937509c537f118470efc8c96a155bcf8f805f
parent	1c0f26aa1793c2fcfee88bc95220e3cd63db2b8c (diff)
parent	00c635b01a9ff113cdeb94dd821e96521b41c655 (diff)