diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-19 15:15:54 +0200 |
---|---|---|
committer | gjoranv <gv@oath.com> | 2019-01-21 15:09:22 +0100 |
commit | ce684e32f08ed2a31db9e0e8853210206627db6a (patch) | |
tree | 77777a593e6a1c627a39d6f3c7acf385691ac2d4 /athenz-identity-provider-service | |
parent | e3eb38a73b3b4e85e96218461205dfce6df0fa64 (diff) |
Disable TLS RSA ciphers that do not support forward secrecy
This will essentially remove the temporary workaround introduced with
the Jetty 9.4.12 upgrade that was done recently. JDisc will with this
change only enable certificates marked as grade A by ssllabs.com
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java | 7 |
1 files changed, 0 insertions, 7 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java index 94df93aaea7..1a7224fdc71 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java @@ -30,7 +30,6 @@ import java.security.PublicKey; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; -import java.util.Arrays; import java.util.Optional; import java.util.UUID; import java.util.concurrent.Executors; @@ -112,12 +111,6 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp AthenzProviderServiceConfig.Zones zoneConfig) { SslContextFactory factory = new SslContextFactory(); - // Allow safe TLS_RSA* ciphers - String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) - .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) - .toArray(String[]::new); - factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); - factory.setWantClientAuth(true); KeyStore trustStore = |