diff options
| author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-06-23 09:00:26 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-06-23 09:00:26 +0200 |
| commit | 107dc321de5172aebfbb63a16f0aff28c0f26747 (patch) | |
| tree | d233860af233eb6c92aa525a8ca6961048a56d4f /config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | |
| parent | 79831782255e2b362c9d650ec5c7c8398b2a4eff (diff) | |
Add feature flag for overriding TLS ciphers
Diffstat (limited to 'config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java')
| -rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 766aa46fc01..89f200698fa 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -8,6 +8,7 @@ import com.yahoo.security.tls.TlsContext; import com.yahoo.vespa.model.container.http.ConnectorFactory; import java.time.Duration; +import java.util.Collection; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -24,39 +25,43 @@ public class HostedSslConnectorFactory extends ConnectorFactory { private final boolean enforceClientAuth; private final boolean enforceHandshakeClientAuth; + private final Collection<String> tlsCiphersOverride; /** * Create connector factory that uses a certificate provided by the config-model / configserver and default hosted Vespa truststore. */ public static HostedSslConnectorFactory withProvidedCertificate( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth) { + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth, + Collection<String> tlsCiphersOverride) { ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider( serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth); - return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth); + return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride); } /** * Create connector factory that uses a certificate provided by the config-model / configserver and a truststore configured by the application. */ public static HostedSslConnectorFactory withProvidedCertificateAndTruststore( - String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates) { + String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates, + Collection<String> tlsCiphersOverride) { ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider( serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false); - return new HostedSslConnectorFactory(sslProvider, true, false); + return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride); } /** * Create connector factory that uses the default certificate and truststore provided by Vespa (through Vespa-global TLS configuration). */ - public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName) { - return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false); + public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String serverName, Collection<String> tlsCiphersOverride) { + return new HostedSslConnectorFactory(new DefaultSslProvider(serverName), true, false, tlsCiphersOverride); } private HostedSslConnectorFactory(SslProvider sslProvider, boolean enforceClientAuth, - boolean enforceHandshakeClientAuth) { + boolean enforceHandshakeClientAuth, Collection<String> tlsCiphersOverride) { super(new Builder("tls4443", 4443).sslProvider(sslProvider)); this.enforceClientAuth = enforceClientAuth; this.enforceHandshakeClientAuth = enforceHandshakeClientAuth; + this.tlsCiphersOverride = tlsCiphersOverride; } private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider( @@ -83,10 +88,15 @@ public class HostedSslConnectorFactory extends ConnectorFactory { // Disables TLSv1.3 as it causes some browsers to prompt user for client certificate (when connector has 'want' auth) connectorBuilder.ssl.enabledProtocols(List.of("TLSv1.2")); - // Add TLS_RSA_WITH_AES_256_GCM_SHA384 cipher to list of defalt allowed ciphers - Set<String> ciphers = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); - ciphers.add("TLS_RSA_WITH_AES_256_GCM_SHA384"); - connectorBuilder.ssl.enabledCipherSuites(Set.copyOf(ciphers)); + if (!tlsCiphersOverride.isEmpty()) { + connectorBuilder.ssl.enabledCipherSuites(tlsCiphersOverride); + } else { + // Add TLS_RSA_WITH_AES_256_GCM_SHA384 cipher to list of default allowed ciphers + // TODO Remove TLS_RSA_WITH_AES_256_GCM_SHA384 as it's weak and incompatible with HTTP/2 + Set<String> ciphers = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); + ciphers.add("TLS_RSA_WITH_AES_256_GCM_SHA384"); + connectorBuilder.ssl.enabledCipherSuites(Set.copyOf(ciphers)); + } connectorBuilder .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true)) |