Allow configuration of accepted ciphers

1 files changed, 15 insertions, 8 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index 3f729d76ceb..a42c678edab 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -36,32 +36,40 @@ public class DefaultTlsContext implements TlsContext {
     private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName());
 
     private final SSLContext sslContext;
+    private final List<String> acceptedCiphers;
 
     public DefaultTlsContext(List<X509Certificate> certificates,
                              PrivateKey privateKey,
                              List<X509Certificate> caCertificates,
                              AuthorizedPeers authorizedPeers,
-                             AuthorizationMode mode) {
+                             AuthorizationMode mode,
+                             List<String> acceptedCiphers) {
         this.sslContext = createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode);
+        this.acceptedCiphers = acceptedCiphers;
     }
 
     public DefaultTlsContext(Path tlsOptionsConfigFile, AuthorizationMode mode) {
-        this.sslContext = createSslContext(tlsOptionsConfigFile, mode);
+        TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile);
+        this.sslContext = createSslContext(options, mode);
+        this.acceptedCiphers = options.getAcceptedCiphers();
     }
 
     @Override
     public SSLEngine createSslEngine() {
         SSLEngine sslEngine = sslContext.createSSLEngine();
-        restrictSetOfEnabledCiphers(sslEngine);
+        restrictSetOfEnabledCiphers(sslEngine, acceptedCiphers);
         return sslEngine;
     }
 
-    private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine) {
+    private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine, List<String> acceptedCiphers) {
         String[] validCipherSuites = Arrays.stream(sslEngine.getSupportedCipherSuites())
-                .filter(ALLOWED_CIPHER_SUITES::contains)
+                .filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && (acceptedCiphers.isEmpty() || acceptedCiphers.contains(suite)))
                 .toArray(String[]::new);
         if (validCipherSuites.length == 0) {
-            throw new IllegalStateException("None of the allowed cipher suites are supported");
+            throw new IllegalStateException(
+                    String.format("None of the allowed cipher suites are supported " +
+                                          "(allowed-cipher-suites=%s, supported-cipher-suites=%s, accepted-cipher-suites=%s)",
+                                  ALLOWED_CIPHER_SUITES, List.of(sslEngine.getSupportedCipherSuites()), acceptedCiphers));
         }
         log.log(Level.FINE, () -> String.format("Allowed cipher suites that are supported: %s", Arrays.toString(validCipherSuites)));
         sslEngine.setEnabledCipherSuites(validCipherSuites);
@@ -85,8 +93,7 @@ public class DefaultTlsContext implements TlsContext {
         return builder.build();
     }
 
-    private static SSLContext createSslContext(Path tlsOptionsConfigFile, AuthorizationMode mode) {
-        TransportSecurityOptions options = TransportSecurityOptions.fromJsonFile(tlsOptionsConfigFile);
+    private static SSLContext createSslContext(TransportSecurityOptions options, AuthorizationMode mode) {
         SslContextBuilder builder = new SslContextBuilder();
         options.getCertificatesFile()
                 .ifPresent(certificates -> builder.withKeyStore(options.getPrivateKeyFile().get(), certificates));