aboutsummaryrefslogtreecommitdiffstats
path: root/jrt
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2021-02-18 19:01:36 +0100
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2021-02-18 19:01:40 +0100
commit8af057dfde3f4c3feedf7f87db1b39810c521117 (patch)
tree6177ae28e527eb45a4b5637f71621c40daf70ef8 /jrt
parentddb14fb5ffc9178ded108447f65bd85adc1bb5d8 (diff)
Disable TLSv1.3 for jrt
Diffstat (limited to 'jrt')
-rw-r--r--jrt/src/com/yahoo/jrt/TlsCryptoSocket.java9
1 files changed, 9 insertions, 0 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index 56d096347b3..91dbfccb203 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -49,6 +49,7 @@ public class TlsCryptoSocket implements CryptoSocket {
private AuthorizationResult authorizationResult;
public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) {
+ disableTlsv13(sslEngine);
this.channel = channel;
this.sslEngine = sslEngine;
SSLSession nullSession = sslEngine.getSession();
@@ -324,4 +325,12 @@ public class TlsCryptoSocket implements CryptoSocket {
throw new SSLException("Handshake not completed: handshakeState=" + handshakeState);
}
+ private static void disableTlsv13(SSLEngine sslEngine) {
+ String[] filteredProtocols = Arrays.stream(sslEngine.getEnabledProtocols())
+ .filter(p -> !p.equals("TLSv1.3"))
+ .toArray(String[]::new);
+ if (filteredProtocols.length == 0) throw new IllegalArgumentException("JRT does not support TLSv1.3");
+ sslEngine.setEnabledProtocols(filteredProtocols);
+ }
+
}