diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-02-24 17:14:08 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-02-24 17:14:08 +0100 |
commit | 23e018497c07d9a1e8451c3531dc073e93b73617 (patch) | |
tree | 5986b3f493cfdd39cf0a595881cc4eb25539fbbb /security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | |
parent | 3e0954075fde4f01717c9a9e987231af95812a31 (diff) |
Make TLS protocol version configurable in TLS config file
Only protocols listed in allowlist can be configured.
TLSv1.2 is the only supported version at the moment, but TLSv1.3 will most likely be included in the future.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index d2a42d21973..250596628ee 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -10,6 +10,7 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.List; import java.util.Set; import java.util.logging.Level; @@ -40,14 +41,14 @@ public class DefaultTlsContext implements TlsContext { } public DefaultTlsContext(SSLContext sslContext, PeerAuthentication peerAuthentication) { - this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, peerAuthentication); + this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, TlsContext.ALLOWED_PROTOCOLS, peerAuthentication); } - DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, PeerAuthentication peerAuthentication) { + DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, Set<String> acceptedProtocols, PeerAuthentication peerAuthentication) { this.sslContext = sslContext; this.peerAuthentication = peerAuthentication; this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers); - this.validProtocols = getAllowedProtocols(sslContext); + this.validProtocols = getAllowedProtocols(sslContext, acceptedProtocols); } private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) { @@ -64,10 +65,18 @@ public class DefaultTlsContext implements TlsContext { return allowedCiphers; } - private static String[] getAllowedProtocols(SSLContext sslContext) { - Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sslContext); - log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", com.yahoo.vespa.jdk8compat.List.of(allowedProtocols))); - return com.yahoo.vespa.jdk8compat.Collection.toArray(allowedProtocols, String[]::new); + private static String[] getAllowedProtocols(SSLContext sslContext, Set<String> acceptedProtocols) { + Set<String> supportedProtocols = TlsContext.getAllowedProtocols(sslContext); + String[] allowedProtocols = supportedProtocols.stream() + .filter(acceptedProtocols::contains) + .toArray(String[]::new); + if (allowedProtocols.length == 0) { + throw new IllegalStateException( + String.format("None of the accepted protocols are supported (supported=%s, accepted=%s)", + supportedProtocols, acceptedProtocols)); + } + log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(allowedProtocols))); + return allowedProtocols; } @Override |