diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-12-19 16:04:48 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-01-09 11:14:56 +0100 |
commit | 462fd256f43cfa3ed8b3fcff0729dbf459844172 (patch) | |
tree | 6a20bbe22cc93f0464f1596615d6681bc5104ae1 /controller-server | |
parent | 0796ad7fd3a85d360df2742a408545703d2c2368 (diff) |
Ensure that HTTPS clients only use allowed ciphers and protocol versions
Diffstat (limited to 'controller-server')
3 files changed, 10 insertions, 14 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 4f4e21d9f25..a2611fe3f9d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.proxy; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; import com.yahoo.jdisc.http.HttpRequest.Method; @@ -69,9 +70,9 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C @Inject public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, ControllerIdentityProvider identityProvider) { - this(new SSLConnectionSocketFactory(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), - Sleeper.DEFAULT, - new ConnectionReuseStrategy(zoneRegistry)); + this(SslConnectionSocketFactory.of(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), + Sleeper.DEFAULT, // Specify + new ConnectionReuseStrategy(zoneRegistry)); } ConfigServerRestExecutorImpl(SSLConnectionSocketFactory connectionSocketFactory, diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java index 4a208aa3794..6327a6262ba 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.restapi.systemflags; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import ai.vespa.util.http.hc4.retry.DelayedConnectionLevelRetryHandler; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; @@ -22,7 +23,6 @@ import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.utils.URIBuilder; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; @@ -100,12 +100,11 @@ class FlagsClient { DelayedConnectionLevelRetryHandler retryHandler = DelayedConnectionLevelRetryHandler.Builder .withExponentialBackoff(Duration.ofSeconds(1), Duration.ofSeconds(20), 5) .build(); - SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory( - identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets)); return HttpClientBuilder.create() .setUserAgent("controller-flags-v1-client") - .setSSLSocketFactory(connectionSocketFactory) + .setSSLSocketFactory(SslConnectionSocketFactory.of( + identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets))) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) .setConnectionRequestTimeout((int) Duration.ofSeconds(10).toMillis()) diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java index 5214ded0904..210e32db4c3 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java @@ -2,18 +2,17 @@ package com.yahoo.vespa.hosted.controller.proxy; import ai.vespa.http.HttpURL.Path; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.github.tomakehurst.wiremock.junit5.WireMockExtension; import com.github.tomakehurst.wiremock.stubbing.Scenario; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.yolean.concurrent.Sleeper; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpCoreContext; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.RegisterExtension; -import javax.net.ssl.SSLContext; import java.io.ByteArrayOutputStream; import java.net.URI; import java.util.HashMap; @@ -38,8 +37,7 @@ public class ConfigServerRestExecutorImplTest { @Test void proxy_with_retries() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of("127.0.0.1")); - var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), - Sleeper.NOOP, connectionReuseStrategy); + var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy); URI url = url(); String path = url.getPath(); @@ -63,9 +61,7 @@ public class ConfigServerRestExecutorImplTest { @Test void proxy_without_connection_reuse() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of()); - var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), - Sleeper.NOOP, connectionReuseStrategy); - + var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy); URI url = url(); String path = url.getPath(); stubRequests(path); |