diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-12-19 16:04:48 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-01-06 11:33:59 +0100 |
commit | 6e162af9a091d2ac1c229281c47349e46d6c8239 (patch) | |
tree | 7acb73d5a41283608bd07d96e3db7b8b56f87eca /security-utils/src/main/java/com/yahoo | |
parent | 7d839355259eca823da9396c1ed15b43f7c98768 (diff) |
Ensure that HTTPS clients only use allowed ciphers and protocol versions
Diffstat (limited to 'security-utils/src/main/java/com/yahoo')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java | 4 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java | 23 |
2 files changed, 25 insertions, 2 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index d91c47e5eed..9b26b79a960 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; +import com.yahoo.security.tls.TlsContext; + import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; @@ -129,7 +131,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance("TLS"); + SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION); X509ExtendedTrustManager trustManager = this.trustManager != null ? this.trustManager : trustManagerFactory.createTrustManager(trustStoreSupplier.get()); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index b222c8664cc..8e146f36907 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -4,6 +4,8 @@ package com.yahoo.security.tls; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; @@ -39,7 +41,12 @@ public interface TlsContext extends AutoCloseable { // TODO Enable TLSv1.3 after upgrading to JDK 17 Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2"); - String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions + + /** + * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS} + * @see SSLContext#getInstance(String) + */ + String SSL_CONTEXT_VERSION = "TLSv1.2"; /** * @return the allowed cipher suites supported by the provided context instance @@ -58,6 +65,8 @@ public interface TlsContext extends AutoCloseable { return enabledCiphers; } + static Set<String> getAllowedCipherSuites() { return getAllowedCipherSuites(defaultSslContext()); } + /** * @return the allowed protocols supported by the provided context instance */ @@ -74,6 +83,18 @@ public interface TlsContext extends AutoCloseable { return enabledProtocols; } + static Set<String> getAllowedProtocols() { return getAllowedProtocols(defaultSslContext()); } + + /** @return Default {@link SSLContext} instance without certificate and using JDK's default trust store */ + static SSLContext defaultSslContext() { + try { + var ctx = SSLContext.getInstance(SSL_CONTEXT_VERSION); + ctx.init(null, null, null); + return ctx; + } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(e); + } catch (KeyManagementException e) { throw new IllegalStateException(e); } + } + SSLContext context(); SSLParameters parameters(); |