diff options
| author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-06 17:06:07 +0100 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-11-06 17:06:07 +0100 |
| commit | 23d0ea4ee6dc7628e57a77b0bd526b396afb436c (patch) | |
| tree | 2dac26bab6b3f46afeb53ed89cc31767e2f33d58 /jrt | |
| parent | 4ae24233cecd1cbe3fdf2ee1d2e0987719be2ee1 (diff) | |
Allow configuration of accepted ciphers
Diffstat (limited to 'jrt')
| -rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoEngine.java | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java index b3daf5c296d..25a154be107 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java @@ -2,17 +2,15 @@ package com.yahoo.jrt; import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.TransportSecurityOptions; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; -import java.io.IOException; -import java.io.UncheckedIOException; import java.nio.channels.SocketChannel; -import java.nio.file.Files; -import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collections; import java.util.List; +import java.util.logging.Logger; /** * A {@link CryptoSocket} that creates {@link TlsCryptoSocket} instances. @@ -21,21 +19,33 @@ import java.util.List; */ public class TlsCryptoEngine implements CryptoEngine { + private static final Logger log = Logger.getLogger(TlsCryptoEngine.class.getName()); + private final SSLContext sslContext; + private final List<String> acceptedCiphers; public TlsCryptoEngine(SSLContext sslContext) { + this(sslContext, Collections.emptyList()); + } + + public TlsCryptoEngine(SSLContext sslContext, List<String> acceptedCiphers) { this.sslContext = sslContext; + this.acceptedCiphers = acceptedCiphers; } public TlsCryptoEngine(TransportSecurityOptions options) { - this(createSslContext(options)); + this(createSslContext(options), options.getAcceptedCiphers()); } @Override public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { SSLEngine sslEngine = sslContext.createSSLEngine(); + log.fine(() -> String.format("Supported ciphers: %s", Arrays.toString(sslEngine.getSupportedCipherSuites()))); sslEngine.setNeedClientAuth(true); sslEngine.setUseClientMode(!isServer); + if (!acceptedCiphers.isEmpty()) { + sslEngine.setEnabledCipherSuites(acceptedCiphers.toArray(new String[0])); + } return new TlsCryptoSocket(channel, sslEngine); } |