Revert "Allow config of ssl cipher suites and protocol version"

3 files changed, 38 insertions, 20 deletions

diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
index 140feb75026..7a683b74656 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyHttpServer.java
@@ -23,7 +23,6 @@ import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnectionStatistics;
 import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.server.handler.AbstractHandlerContainer;
 import org.eclipse.jetty.server.handler.HandlerCollection;
 import org.eclipse.jetty.server.handler.StatisticsHandler;
@@ -317,7 +316,6 @@ public class JettyHttpServer extends AbstractServerProvider {
     public void start() {
         try {
             server.start();
-            logEffectiveSslConfiguration();
         } catch (final Exception e) {
             if (e instanceof IOException && e.getCause() instanceof BindException) {
                 throw new RuntimeException("Failed to start server due to BindExecption. ListenPorts = " + listenedPorts.toString(), e.getCause());
@@ -326,22 +324,6 @@ public class JettyHttpServer extends AbstractServerProvider {
         }
     }
 
-    private void logEffectiveSslConfiguration() {
-        if (!server.isStarted()) throw new IllegalStateException();
-        for (Connector connector : server.getConnectors()) {
-            ServerConnector serverConnector = (ServerConnector) connector;
-            int localPort = serverConnector.getLocalPort();
-            var sslConnectionFactory = serverConnector.getConnectionFactory(SslConnectionFactory.class);
-            if (sslConnectionFactory != null) {
-                var sslContextFactory = sslConnectionFactory.getSslContextFactory();
-                log.info(String.format("Enabled SSL cipher suites for port '%d': %s",
-                                       localPort, Arrays.toString(sslContextFactory.getSelectedCipherSuites())));
-                log.info(String.format("Enabled SSL protocols for port '%d': %s",
-                                       localPort, Arrays.toString(sslContextFactory.getSelectedProtocols())));
-            }
-        }
-    }
-
     @Override
     public void close() {
         try {
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
index 90848f1dfd4..b2e7ba1be67 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
@@ -70,12 +70,12 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
 
         List<String> protocols = !sslConfig.enabledProtocols().isEmpty()
                 ? sslConfig.enabledProtocols()
-                : new ArrayList<>(TlsContext.getAllowedProtocols(sslContext));
+                : new ArrayList<>(TlsContext.ALLOWED_PROTOCOLS);
         setEnabledProtocols(factory, sslContext, protocols);
 
         List<String> ciphers = !sslConfig.enabledCipherSuites().isEmpty()
                 ? sslConfig.enabledCipherSuites()
-                : new ArrayList<>(TlsContext.getAllowedCipherSuites(sslContext));
+                : new ArrayList<>(TlsContext.ALLOWED_CIPHER_SUITES);
         setEnabledCipherSuites(factory, sslContext, ciphers);
 
         return factory;
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/JDiscSslContextFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/JDiscSslContextFactory.java
new file mode 100644
index 00000000000..4d3bb4a280a
--- /dev/null
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/JDiscSslContextFactory.java
@@ -0,0 +1,36 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.ssl.impl;
+
+import org.eclipse.jetty.util.resource.Resource;
+import org.eclipse.jetty.util.security.CertificateUtils;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+
+import java.security.KeyStore;
+import java.util.Objects;
+
+/**
+ * A modified {@link SslContextFactory} that allows passwordless truststore in combination with password protected keystore.
+ *
+ * @author bjorncs
+ */
+class JDiscSslContextFactory extends SslContextFactory.Server {
+
+    private String trustStorePassword;
+
+    @Override
+    public void setTrustStorePassword(String password) {
+        super.setTrustStorePassword(password);
+        this.trustStorePassword = password;
+    }
+
+
+    // Overriden to stop Jetty from using the keystore password if no truststore password is specified.
+    @Override
+    protected KeyStore loadTrustStore(Resource resource) throws Exception {
+        return CertificateUtils.getKeyStore(
+                resource != null ? resource : getKeyStoreResource(),
+                Objects.toString(getTrustStoreType(), getKeyStoreType()),
+                Objects.toString(getTrustStoreProvider(), getKeyStoreProvider()),
+                trustStorePassword);
+    }
+}