diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-22 14:27:59 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-05-22 14:27:59 +0200 |
commit | 17a40660f334a3eb1543b90143c574713f3b0a68 (patch) | |
tree | 2fdb755fe3b49773c5103b9595ab57d6e279170e /athenz-identity-provider-service | |
parent | 53d1d6516cd1271612f915d30ca88eab0800e03f (diff) |
Disable TLSv1.3 in manually configured https endpoint
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java index 61ac8f7a7e2..bb3216ba3ba 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java @@ -109,6 +109,9 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp AthenzService configserverIdentity, ZtsClient ztsClient, AthenzProviderServiceConfig.Zones zoneConfig) { + + // TODO Use DefaultTlsContext to configure SslContextFactory (ensure that cipher/protocol configuration is same across all TLS endpoints) + SslContextFactory factory = new SslContextFactory(); factory.setWantClientAuth(true); @@ -124,6 +127,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp .orElseGet(() -> updateKeystore(configserverIdentity, generateKeystorePassword(), keyProvider, ztsClient, zoneConfig)); factory.setKeyStore(keyStore); factory.setKeyStorePassword(""); + factory.setExcludeProtocols("TLSv1.3"); // TLSv1.3 is broken is multiple OpenJDK 11 versions factory.setEndpointIdentificationAlgorithm(null); // disable https hostname verification of clients (must be disabled when using Athenz x509 certificates) return factory; } |