Revert "Bjorncs/jdisc tls13"

author: Bjørn Christian Seime <bjorn.christian@seime.no> 2019-10-04 15:18:47 +0200
committer: GitHub <noreply@github.com> 2019-10-04 15:18:47 +0200
commit: a063dc90967912febc1e26c0baf634cd57ea5560 (patch)
tree: ca35c3c5e1309d58f7f3e470367ea04c31a57459
parent: 7bb9233afcf04a82bf8210c910450f0efc5f83f5 (diff)
5 files changed, 7 insertions, 4 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index afed3efb9f1..6bc70ca12f0 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -21,6 +21,7 @@ import java.util.Optional;
 import java.util.logging.Logger;
 
 import static java.util.stream.Collectors.toList;
+import static javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import static javax.net.ssl.SSLEngineResult.Status;
 
 /**
@@ -246,6 +247,7 @@ public class TlsCryptoSocket implements CryptoSocket {
 
     private int applicationDataWrap(ByteBuffer src) throws IOException {
         SSLEngineResult result = sslEngineWrap(src);
+        if (result.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) throw new SSLException("Renegotiation detected");
         switch (result.getStatus()) {
             case OK:
                 return result.bytesConsumed();
@@ -277,6 +279,7 @@ public class TlsCryptoSocket implements CryptoSocket {
 
     private int applicationDataUnwrap(ByteBuffer dst) throws IOException {
         SSLEngineResult result = sslEngineUnwrap(dst);
+        if (result.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING) throw new SSLException("Renegotiation detected");
         switch (result.getStatus()) {
             case OK:
                 return result.bytesProduced();
diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
index 08ebba1670d..4f8919cdd5e 100644
--- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
@@ -122,7 +122,7 @@ public class SslContextBuilder {
 
     public SSLContext build() {
         try {
-            SSLContext sslContext = SSLContext.getInstance("TLS");
+            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
             TrustManager[] trustManagers = new TrustManager[] { trustManagerFactory.createTrustManager(trustStoreSupplier.get()) };
             X509ExtendedKeyManager keyManager = this.keyManager != null
                     ? this.keyManager
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index e878ac33467..ea26be0ef4f 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -24,7 +24,7 @@ public interface TlsContext extends AutoCloseable {
             "TLS_AES_256_GCM_SHA384", // TLSv1.3
             "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3
 
-    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3");
+    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2"); // TODO Enable TLSv1.3
 
     SSLContext context();
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
index a62f13c731e..4e6f0a141b0 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/ConfigFileBasedTlsContextTest.java
@@ -63,7 +63,7 @@ public class ConfigFileBasedTlsContextTest {
             assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
 
             String[] enabledProtocols = sslEngine.getEnabledProtocols();
-            assertThat(enabledProtocols).containsOnly(TlsContext.ALLOWED_PROTOCOLS.toArray(new String[0]));
+            assertThat(enabledProtocols).contains("TLSv1.2");
         }
     }
 
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index 3a2eabd78b5..727a64ae934 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -55,7 +55,7 @@ public class DefaultTlsContextTest {
         assertThat(enabledCiphers).isSubsetOf(TlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
 
         String[] enabledProtocols = sslEngine.getEnabledProtocols();
-        assertThat(enabledProtocols).containsOnly(TlsContext.ALLOWED_PROTOCOLS.toArray(new String[0]));
+        assertThat(enabledProtocols).contains("TLSv1.2");
     }
 
 }
 \ No newline at end of file
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2019-10-04 15:18:47 +0200
committer	GitHub <noreply@github.com>	2019-10-04 15:18:47 +0200
commit	a063dc90967912febc1e26c0baf634cd57ea5560 (patch)
tree	ca35c3c5e1309d58f7f3e470367ea04c31a57459
parent	7bb9233afcf04a82bf8210c910450f0efc5f83f5 (diff)