diff options
author | Harald Musum <musum@verizonmedia.com> | 2019-11-21 08:17:54 +0100 |
---|---|---|
committer | Harald Musum <musum@verizonmedia.com> | 2019-11-21 08:17:54 +0100 |
commit | f50320c26942304629d79c80cdc6776f4c486f7e (patch) | |
tree | 446122ef06eca481248d100f145a9868049e440c /security-utils/src | |
parent | 05377eb166b3d310774545fdd35172991dba9390 (diff) |
Remove more cipher suites not supported by Java 11 from set configured for use by ZooKeeper
Diffstat (limited to 'security-utils/src')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 5253e9e6a7e..6ad5f6c3612 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -13,7 +13,16 @@ import java.util.Set; */ public interface TlsContext extends AutoCloseable { - // TODO: Where does this set come from? + /** + * Handpicked subset of supported ciphers from https://www.openssl.org/docs/manmaster/man1/ciphers.html + * based on Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS + * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM. + * For TLSv1.3 we allow the DEFAULT group ciphers. + * Note that we _only_ allow AEAD ciphers for either TLS version. + */ + // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256? + // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Set<String> ALLOWED_CIPHER_SUITES = Set.of( "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", |