diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-01 13:01:14 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-01 13:01:14 +0100 |
commit | d6f675f18bd0218312cb9aeb475ae574f3366e45 (patch) | |
tree | 9c75f931e7ef357032fb4f35d945bf4d4a1cb7a9 /security-utils/src/main/java/com/yahoo/security/tls | |
parent | b2b1cac07d55fcd1f2936849f01a4ee637cc1bdf (diff) |
Restrict enabled protocols
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index a42c678edab..85841c3e59f 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -33,6 +33,8 @@ public class DefaultTlsContext implements TlsContext { "TLS_AES_256_GCM_SHA384", // TLSv1.3 "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 + public static final List<String> ALLOWED_PROTOCOLS = List.of("TLSv1.2"); // TODO Enable TLSv1.3 + private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName()); private final SSLContext sslContext; @@ -58,6 +60,7 @@ public class DefaultTlsContext implements TlsContext { public SSLEngine createSslEngine() { SSLEngine sslEngine = sslContext.createSSLEngine(); restrictSetOfEnabledCiphers(sslEngine, acceptedCiphers); + restrictTlsProtocols(sslEngine); return sslEngine; } @@ -75,6 +78,19 @@ public class DefaultTlsContext implements TlsContext { sslEngine.setEnabledCipherSuites(validCipherSuites); } + private static void restrictTlsProtocols(SSLEngine sslEngine) { + String[] validProtocols = Arrays.stream(sslEngine.getSupportedProtocols()) + .filter(ALLOWED_PROTOCOLS::contains) + .toArray(String[]::new); + if (validProtocols.length == 0) { + throw new IllegalArgumentException( + String.format("Non of the allowed protocols are supported (allowed-protocols=%s, supported-protocols=%s)", + ALLOWED_PROTOCOLS, Arrays.toString(sslEngine.getSupportedProtocols()))); + } + log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(validProtocols))); + sslEngine.setEnabledProtocols(validProtocols); + } + private static SSLContext createSslContext(List<X509Certificate> certificates, PrivateKey privateKey, List<X509Certificate> caCertificates, |