Revert "Allow config of ssl cipher suites and protocol version"

5 files changed, 9 insertions, 67 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredFilebasedSslProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredFilebasedSslProvider.java
index 4a331718985..4f84a01ff94 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredFilebasedSslProvider.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredFilebasedSslProvider.java
@@ -8,7 +8,6 @@ import com.yahoo.jdisc.http.ssl.impl.ConfiguredSslContextFactoryProvider;
 import com.yahoo.osgi.provider.model.ComponentModel;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 
-import java.util.List;
 import java.util.Optional;
 
 import static com.yahoo.component.ComponentSpecification.fromString;
@@ -17,7 +16,6 @@ import static com.yahoo.component.ComponentSpecification.fromString;
  * Configure SSL using file references
  *
  * @author mortent
- * @author bjorncs
  */
 public class ConfiguredFilebasedSslProvider extends SimpleComponent implements ConnectorConfig.Producer {
     public static final String COMPONENT_ID_PREFIX = "configured-ssl-provider@";
@@ -28,16 +26,8 @@ public class ConfiguredFilebasedSslProvider extends SimpleComponent implements C
     private final String certificatePath;
     private final String caCertificatePath;
     private final ConnectorConfig.Ssl.ClientAuth.Enum clientAuthentication;
-    private final List<String> cipherSuites;
-    private final List<String> protocolVersions;
 
-    public ConfiguredFilebasedSslProvider(String servername,
-                                          String privateKeyPath,
-                                          String certificatePath,
-                                          String caCertificatePath,
-                                          String clientAuthentication,
-                                          List<String> cipherSuites,
-                                          List<String> protocolVersions) {
+    public ConfiguredFilebasedSslProvider(String servername, String privateKeyPath, String certificatePath, String caCertificatePath, String clientAuthentication) {
         super(new ComponentModel(
                 new BundleInstantiationSpecification(new ComponentId(COMPONENT_ID_PREFIX+servername),
                                                      fromString(COMPONENT_CLASS),
@@ -46,21 +36,15 @@ public class ConfiguredFilebasedSslProvider extends SimpleComponent implements C
         this.certificatePath = certificatePath;
         this.caCertificatePath = caCertificatePath;
         this.clientAuthentication = mapToConfigEnum(clientAuthentication);
-        this.cipherSuites = cipherSuites;
-        this.protocolVersions = protocolVersions;
     }
 
     @Override
     public void getConfig(ConnectorConfig.Builder builder) {
-        builder.ssl(
-                new ConnectorConfig.Ssl.Builder()
-                        .enabled(true)
-                        .privateKeyFile(privateKeyPath)
-                        .certificateFile(certificatePath)
-                        .caCertificateFile(Optional.ofNullable(caCertificatePath).orElse(""))
-                        .clientAuth(clientAuthentication)
-                        .enabledCipherSuites(cipherSuites)
-                        .enabledProtocols(protocolVersions));
+        builder.ssl.enabled(true);
+        builder.ssl.privateKeyFile(privateKeyPath);
+        builder.ssl.certificateFile(certificatePath);
+        builder.ssl.caCertificateFile(Optional.ofNullable(caCertificatePath).orElse(""));
+        builder.ssl.clientAuth(clientAuthentication);
     }
 
     public SimpleComponent getComponent() {
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
index 499268929b7..1b457b1250a 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
@@ -8,17 +8,13 @@ import com.yahoo.text.XML;
 import com.yahoo.vespa.model.builder.xml.dom.VespaDomBuilder;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
-import com.yahoo.vespa.model.container.http.ssl.ConfiguredFilebasedSslProvider;
 import com.yahoo.vespa.model.container.http.ssl.CustomSslProvider;
+import com.yahoo.vespa.model.container.http.ssl.ConfiguredFilebasedSslProvider;
 import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider;
 import org.w3c.dom.Element;
 
-import java.util.Arrays;
-import java.util.List;
 import java.util.Optional;
 
-import static java.util.stream.Collectors.toList;
-
 /**
  * @author Einar M R Rosenvinge
  * @author mortent
@@ -43,16 +39,12 @@ public class JettyConnectorBuilder extends VespaDomBuilder.DomConfigProducerBuil
             String certificateFile = XML.getValue(XML.getChild(sslConfigurator, "certificate-file"));
             Optional<String> caCertificateFile = XmlHelper.getOptionalChildValue(sslConfigurator, "ca-certificates-file");
             Optional<String> clientAuthentication = XmlHelper.getOptionalChildValue(sslConfigurator, "client-authentication");
-            List<String> cipherSuites = extractOptionalCommaSeparatedList(sslConfigurator, "cipher-suites");
-            List<String> protocols = extractOptionalCommaSeparatedList(sslConfigurator, "protocols");
             return new ConfiguredFilebasedSslProvider(
                     serverName,
                     privateKeyFile,
                     certificateFile,
                     caCertificateFile.orElse(null),
-                    clientAuthentication.orElse(null),
-                    cipherSuites,
-                    protocols);
+                    clientAuthentication.orElse(null));
         } else if (sslProviderConfigurator != null) {
             String className = sslProviderConfigurator.getAttribute("class");
             String bundle = sslProviderConfigurator.getAttribute("bundle");
@@ -61,14 +53,4 @@ public class JettyConnectorBuilder extends VespaDomBuilder.DomConfigProducerBuil
             return new DefaultSslProvider(serverName);
         }
     }
-
-    private static List<String> extractOptionalCommaSeparatedList(Element sslElement, String listElementName) {
-        return XmlHelper.getOptionalChildValue(sslElement, listElementName)
-                .map(element ->
-                             Arrays.stream(element.split(","))
-                                     .filter(listEntry -> !listEntry.isBlank())
-                                     .map(String::trim)
-                                     .collect(toList()))
-                .orElse(List.of());
-    }
 }
diff --git a/config-model/src/main/resources/schema/containercluster.rnc b/config-model/src/main/resources/schema/containercluster.rnc
index a8228a233b3..142abb5c63b 100644
--- a/config-model/src/main/resources/schema/containercluster.rnc
+++ b/config-model/src/main/resources/schema/containercluster.rnc
@@ -95,9 +95,7 @@ Ssl = element ssl {
     element private-key-file { string } &
     element certificate-file { string } &
     element ca-certificates-file { string }? &
-    element client-authentication { string "disabled" | string "want" | string "need" }? &
-    element cipher-suites { string }? &
-    element protocols { string }?
+    element client-authentication { string "disabled" | string "want" | string "need" }?
 }
 
 SslProvider = element ssl-provider {
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
index 4679377ce94..929e520f984 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
@@ -152,14 +152,6 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
                 "                <client-authentication>need</client-authentication>",
                 "            </ssl>",
                 "        </server>",
-                "        <server port='9003' id='with-ciphers-and-protocols'>",
-                "            <ssl>",
-                "                <private-key-file>/foo/key</private-key-file>",
-                "                <certificate-file>/foo/cert</certificate-file>",
-                "                <cipher-suites>TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384</cipher-suites>",
-                "                <protocols>TLSv1.3</protocols>",
-                "            </ssl>",
-                "        </server>",
                 "    </http>",
                 nodesXml,
                 "",
@@ -187,13 +179,6 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
         assertThat(needClientAuth.ssl().caCertificateFile(), is(equalTo("")));
         assertThat(needClientAuth.ssl().clientAuth(), is(equalTo(ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH)));
 
-        ConnectorConfig withCiphersAndProtocols = root.getConfig(ConnectorConfig.class, "default/http/jdisc-jetty/with-ciphers-and-protocols/configured-ssl-provider@with-ciphers-and-protocols");
-        assertTrue(withCiphersAndProtocols.ssl().enabled());
-        assertThat(withCiphersAndProtocols.ssl().privateKeyFile(), is(equalTo("/foo/key")));
-        assertThat(withCiphersAndProtocols.ssl().certificateFile(), is(equalTo("/foo/cert")));
-        assertThat(withCiphersAndProtocols.ssl().enabledCipherSuites(), is(equalTo(List.of("TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"))));
-        assertThat(withCiphersAndProtocols.ssl().enabledProtocols(), is(equalTo(List.of("TLSv1.3"))));
-
         ContainerCluster cluster = (ContainerCluster) root.getChildren().get("default");
         List<ConnectorFactory> connectorFactories = cluster.getChildrenByTypeRecursive(ConnectorFactory.class);
         connectorFactories.forEach(connectorFactory -> assertChildComponentExists(connectorFactory, ConfiguredFilebasedSslProvider.COMPONENT_CLASS));
diff --git a/config-model/src/test/schema-test-files/services.xml b/config-model/src/test/schema-test-files/services.xml
index 1bf42650123..2bbd98f72ac 100644
--- a/config-model/src/test/schema-test-files/services.xml
+++ b/config-model/src/test/schema-test-files/services.xml
@@ -119,13 +119,6 @@
           <certificate-file>/foo/cert</certificate-file>
           <ca-certificates-file>/foo/cacerts</ca-certificates-file>
           <client-authentication>want</client-authentication>
-          <cipher-suites>
-            TLS_AES_128_GCM_SHA256,
-            TLS_AES_256_GCM_SHA384,
-            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-            TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-          </cipher-suites>
-          <protocols>TLSv1.2,TLSv1.3</protocols>
         </ssl>
       </server>
       <server port="4083" id="sslProvider">