diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2019-10-04 15:18:47 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-04 15:18:47 +0200 |
commit | a063dc90967912febc1e26c0baf634cd57ea5560 (patch) | |
tree | ca35c3c5e1309d58f7f3e470367ea04c31a57459 | |
parent | 7bb9233afcf04a82bf8210c910450f0efc5f83f5 (diff) |
Revert "Bjorncs/jdisc tls13"
5 files changed, 7 insertions, 4 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index afed3efb9f1..6bc70ca12f0 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -21,6 +21,7 @@ import java.util.Optional; import java.util.logging.Logger; import static java.util.stream.Collectors.toList; +import static javax.net.ssl.SSLEngineResult.HandshakeStatus; import static javax.net.ssl.SSLEngineResult.Status; /** @@ -246,6 +247,7 @@ public class TlsCryptoSocket implements CryptoSocket { private int applicationDataWrap(ByteBuffer src) throws IOException { SSLEngineResult result = sslEngineWrap(src); + if (result.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) throw new SSLException("Renegotiation detected"); switch (result.getStatus()) { case OK: return result.bytesConsumed(); @@ -277,6 +279,7 @@ public class TlsCryptoSocket implements CryptoSocket { private int applicationDataUnwrap(ByteBuffer dst) throws IOException { SSLEngineResult result = sslEngineUnwrap(dst); + if (result.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) throw new SSLException("Renegotiation detected"); switch (result.getStatus()) { case OK: return result.bytesProduced(); diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index 08ebba1670d..4f8919cdd5e 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -122,7 +122,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance("TLS"); + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); TrustManager[] trustManagers = new TrustManager[] { trustManagerFactory.createTrustManager(trustStoreSupplier.get()) }; X509ExtendedKeyManager keyManager = this.keyManager != null ? this.keyManager diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index e878ac33467..ea26be0ef4f 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -24,7 +24,7 @@ public interface TlsContext extends AutoCloseable { "TLS_AES_256_GCM_SHA384", // TLSv1.3 "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 - Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3"); + Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3 SSLContext context(); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java index a62f13c731e..4e6f0a141b0 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java @@ -63,7 +63,7 @@ public class ConfigFileBasedTlsContextTest { assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); String[] enabledProtocols = sslEngine.getEnabledProtocols(); - assertThat(enabledProtocols).containsOnly(TlsContext.ALLOWED_PROTOCOLS.toArray(new String[0])); + assertThat(enabledProtocols).contains("TLSv1.2"); } } diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index 3a2eabd78b5..727a64ae934 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -55,7 +55,7 @@ public class DefaultTlsContextTest { assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); String[] enabledProtocols = sslEngine.getEnabledProtocols(); - assertThat(enabledProtocols).containsOnly(TlsContext.ALLOWED_PROTOCOLS.toArray(new String[0])); + assertThat(enabledProtocols).contains("TLSv1.2"); } }
\ No newline at end of file |