Merge pull request #26584 from vespa-engine/revert-26578-bjorncs/tlsv13v8.145.27

Revert "Enable TLSv1.3 for Vespa mTLS"
author: Henning Baldersheim <balder@yahoo-inc.com> 2023-03-25 13:13:56 +0100
committer: GitHub <noreply@github.com> 2023-03-25 13:13:56 +0100
commit: 629c11254b2b08a8516b4b1fd0b1e7dca38751a7 (patch)
tree: 4e54285854346f4a6f8f6f04e1c8913bee1ef36a
parent: c5621e4124f0ab117acbef517b71b99650b0b7e2 (diff)
parent: 11a64028b1e9bfb31846c4aae136898b7c89f6e0 (diff)
2 files changed, 16 insertions, 11 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 9d72030c624..8e146f36907 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -7,6 +7,8 @@ import javax.net.ssl.SSLParameters;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import static java.util.stream.Collectors.toSet;
@@ -24,20 +26,21 @@ public interface TlsContext extends AutoCloseable {
      * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM.
      * For TLSv1.3 we allow the DEFAULT group ciphers.
      * Note that we _only_ allow AEAD ciphers for either TLS version.
+     *
+     * TODO(bjorncs) Add new ciphers once migrated to JDK-17 (also available in 11.0.13):
+     * - TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      */
-    Set<String> ALLOWED_CIPHER_SUITES = Set.of(
+    Set<String> ALLOWED_CIPHER_SUITES = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_AES_128_GCM_SHA256", // TLSv1.3
-            "TLS_AES_256_GCM_SHA384", // TLSv1.3
-            "TLS_CHACHA20_POLY1305_SHA256", // TLSv1.3
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-            );
+            "TLS_AES_256_GCM_SHA384" // TLSv1.3
+            )));
 
-    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3");
+    // TODO Enable TLSv1.3 after upgrading to JDK 17
+    Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2");
 
     /** 
      * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS}
diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
index 36f9f95f2dc..5d0031d5b55 100644
--- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
+++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java
@@ -187,15 +187,17 @@ public class ConfiguratorTest {
 
     private String tlsQuorumConfig() {
         return "ssl.quorum.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" +
-                "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" +
-                "ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3\n" +
+                "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" +
+                "ssl.quorum.enabledProtocols=TLSv1.2\n" +
                 "ssl.quorum.clientAuth=NEED\n";
     }
 
     private String tlsClientServerConfig() {
         return "ssl.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" +
-                "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" +
-                "ssl.enabledProtocols=TLSv1.2,TLSv1.3\n" +
+                "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" +
+                "ssl.enabledProtocols=TLSv1.2\n" +
                 "ssl.clientAuth=NEED\n";
     }
author	Henning Baldersheim <balder@yahoo-inc.com>	2023-03-25 13:13:56 +0100
committer	GitHub <noreply@github.com>	2023-03-25 13:13:56 +0100
commit	629c11254b2b08a8516b4b1fd0b1e7dca38751a7 (patch)
tree	4e54285854346f4a6f8f6f04e1c8913bee1ef36a
parent	c5621e4124f0ab117acbef517b71b99650b0b7e2 (diff)
parent	11a64028b1e9bfb31846c4aae136898b7c89f6e0 (diff)