diff options
author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-03-25 13:13:56 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-25 13:13:56 +0100 |
commit | 629c11254b2b08a8516b4b1fd0b1e7dca38751a7 (patch) | |
tree | 4e54285854346f4a6f8f6f04e1c8913bee1ef36a /security-utils/src/main | |
parent | c5621e4124f0ab117acbef517b71b99650b0b7e2 (diff) | |
parent | 11a64028b1e9bfb31846c4aae136898b7c89f6e0 (diff) |
Merge pull request #26584 from vespa-engine/revert-26578-bjorncs/tlsv13v8.145.27
Revert "Enable TLSv1.3 for Vespa mTLS"
Diffstat (limited to 'security-utils/src/main')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 9d72030c624..8e146f36907 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -7,6 +7,8 @@ import javax.net.ssl.SSLParameters; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; import java.util.Set; import static java.util.stream.Collectors.toSet; @@ -24,20 +26,21 @@ public interface TlsContext extends AutoCloseable { * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM. * For TLSv1.3 we allow the DEFAULT group ciphers. * Note that we _only_ allow AEAD ciphers for either TLS version. + * + * TODO(bjorncs) Add new ciphers once migrated to JDK-17 (also available in 11.0.13): + * - TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */ - Set<String> ALLOWED_CIPHER_SUITES = Set.of( + Set<String> ALLOWED_CIPHER_SUITES = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256", // TLSv1.3 - "TLS_AES_256_GCM_SHA384", // TLSv1.3 - "TLS_CHACHA20_POLY1305_SHA256", // TLSv1.3 - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - ); + "TLS_AES_256_GCM_SHA384" // TLSv1.3 + ))); - Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3"); + // TODO Enable TLSv1.3 after upgrading to JDK 17 + Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2"); /** * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS} |