Allow TLS_RSA* ciphers in JDisc with Jetty 9.4.12+

Jetty 9.4.12+ disables all TLS_RSA ciphers by default
(https://github.com/eclipse/jetty.project/issues/2807).

1 files changed, 9 insertions, 0 deletions

diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
index d4645db88f8..ddddbb76678 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactory.java
@@ -24,6 +24,8 @@ import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import java.nio.channels.ServerSocketChannel;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
@@ -106,6 +108,13 @@ public class ConnectorFactory {
             factory.setSecureRandomAlgorithm(sslConfig.prng());
         }
 
+        // NOTE: ^TLS_RSA_.*$ ciphers are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807)
+        // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0)
+        String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites())
+                .filter(cipher -> !cipher.equals("^TLS_RSA_.*$"))
+                .toArray(String[]::new);
+        factory.setExcludeProtocols(excludedCiphersWithoutTlsRsaExclusion);
+
         setStringArrayParameter(
                 factory, sslConfig.excludeProtocol(), ExcludeProtocol::name, SslContextFactory::setExcludeProtocols);
         setStringArrayParameter(