diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-03-22 11:54:01 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-03-22 11:54:01 +0100 |
commit | 42122fd8ebc44bac639f28f673448f36a7d50aa3 (patch) | |
tree | aee0dd0383d3fde5ba73125b219a8509da8edc4e /config-model/src/main/java/com/yahoo/vespa | |
parent | 0960c9e8bcd7e7b336939db1f5ec1a2657175622 (diff) |
Allow TLS_RSA_WITH_AES_256_GCM_SHA384 in container
Diffstat (limited to 'config-model/src/main/java/com/yahoo/vespa')
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 9f98fdb4ea2..06e02821544 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -4,10 +4,13 @@ package com.yahoo.vespa.model.container.http.ssl; import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.jdisc.http.ConnectorConfig; import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth; +import com.yahoo.security.tls.TlsContext; import com.yahoo.vespa.model.container.http.ConnectorFactory; import java.time.Duration; +import java.util.HashSet; import java.util.List; +import java.util.Set; /** * Component specification for {@link com.yahoo.jdisc.http.server.jetty.ConnectorFactory} with hosted specific configuration. @@ -76,6 +79,11 @@ public class HostedSslConnectorFactory extends ConnectorFactory { // Disables TLSv1.3 as it causes some browsers to prompt user for client certificate (when connector has 'want' auth) connectorBuilder.ssl.enabledProtocols(List.of("TLSv1.2")); + // Add TLS_RSA_WITH_AES_256_GCM_SHA384 cipher to list of defalt allowed ciphers + Set<String> ciphers = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); + ciphers.add("TLS_RSA_WITH_AES_256_GCM_SHA384"); + connectorBuilder.ssl.enabledCipherSuites(Set.copyOf(ciphers)); + connectorBuilder .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true)) .idleTimeout(Duration.ofMinutes(3).toSeconds()) |