diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2023-07-21 14:20:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-21 14:20:19 +0200 |
commit | bd7a97032ae30b57588bbaf204c8711b6a2658e3 (patch) | |
tree | 6eed429bdfe5f6b6f37db297d1a2dd0a99ae890d /config-model | |
parent | 9002d986835c16a644403e1e1f931394c593fd15 (diff) | |
parent | 76657165e7295b6abda4f19a5b441a91c4e4b44f (diff) |
Merge pull request #27862 from vespa-engine/bjorncs/revert
Revert "Enable TLSv1.3 for hosted endpoints" MERGEOK
Diffstat (limited to 'config-model')
-rw-r--r-- | config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index a4a4210f8cc..cebe08288f6 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -56,7 +56,8 @@ public class HostedSslConnectorFactory extends ConnectorFactory { new ConnectorConfig.TlsClientAuthEnforcer.Builder() .pathWhitelist(List.of("/status.html")).enable(true)); } - connectorBuilder.ssl.enabledProtocols(TlsContext.ALLOWED_PROTOCOLS); + // Disables TLSv1.3 as it causes some browsers to prompt user for client certificate (when connector has 'want' auth) + connectorBuilder.ssl.enabledProtocols(List.of("TLSv1.2")); if (!tlsCiphersOverride.isEmpty()) { connectorBuilder.ssl.enabledCipherSuites(tlsCiphersOverride.stream().sorted().toList()); } else { |