diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-19 15:15:54 +0200 |
---|---|---|
committer | gjoranv <gv@oath.com> | 2019-01-21 15:09:22 +0100 |
commit | ce684e32f08ed2a31db9e0e8853210206627db6a (patch) | |
tree | 77777a593e6a1c627a39d6f3c7acf385691ac2d4 /jdisc_http_service | |
parent | e3eb38a73b3b4e85e96218461205dfce6df0fa64 (diff) |
Disable TLS RSA ciphers that do not support forward secrecy
This will essentially remove the temporary workaround introduced with
the Jetty 9.4.12 upgrade that was done recently. JDisc will with this
change only enable certificates marked as grade A by ssllabs.com
Diffstat (limited to 'jdisc_http_service')
-rw-r--r-- | jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java index fa31f58dfc0..c381ba738a3 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/DefaultSslContextFactoryProvider.java @@ -48,14 +48,6 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid break; } - // NOTE: All ciphers matching ^TLS_RSA_.*$ are disabled by default in Jetty 9.4.12+ (https://github.com/eclipse/jetty.project/issues/2807) - // JDisc will allow these ciphers by default to support older clients (e.g. Java 8u60 and curl 7.29.0) - // Removing the exclusion will allow for the TLS_RSA variants that are not covered by other exclusions - String[] excludedCiphersWithoutTlsRsaExclusion = Arrays.stream(factory.getExcludeCipherSuites()) - .filter(cipher -> !cipher.equals("^TLS_RSA_.*$")) - .toArray(String[]::new); - factory.setExcludeCipherSuites(excludedCiphersWithoutTlsRsaExclusion); - // Check if using new ssl syntax from services.xml factory.setKeyStore(createKeystore(sslConfig)); factory.setKeyStorePassword(""); |