Disable TLSv1.3 for jrt

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-02-18 19:01:36 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-02-18 19:01:40 +0100
commit: 8af057dfde3f4c3feedf7f87db1b39810c521117 (patch)
tree: 6177ae28e527eb45a4b5637f71621c40daf70ef8 /jrt
parent: ddb14fb5ffc9178ded108447f65bd85adc1bb5d8 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index 56d096347b3..91dbfccb203 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -49,6 +49,7 @@ public class TlsCryptoSocket implements CryptoSocket {
     private AuthorizationResult authorizationResult;
 
     public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) {
+        disableTlsv13(sslEngine);
         this.channel = channel;
         this.sslEngine = sslEngine;
         SSLSession nullSession = sslEngine.getSession();
@@ -324,4 +325,12 @@ public class TlsCryptoSocket implements CryptoSocket {
             throw new SSLException("Handshake not completed: handshakeState=" + handshakeState);
     }
 
+    private static void disableTlsv13(SSLEngine sslEngine) {
+        String[] filteredProtocols = Arrays.stream(sslEngine.getEnabledProtocols())
+                .filter(p -> !p.equals("TLSv1.3"))
+                .toArray(String[]::new);
+        if (filteredProtocols.length == 0) throw new IllegalArgumentException("JRT does not support TLSv1.3");
+        sslEngine.setEnabledProtocols(filteredProtocols);
+    }
+
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-02-18 19:01:36 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-02-18 19:01:40 +0100
commit	8af057dfde3f4c3feedf7f87db1b39810c521117 (patch)
tree	6177ae28e527eb45a4b5637f71621c40daf70ef8 /jrt
parent	ddb14fb5ffc9178ded108447f65bd85adc1bb5d8 (diff)