Only allowed whitelisted cipher suits

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-12-03 13:41:50 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-12-05 16:35:35 +0100
commit: 7d59528f94fd292b0901aef2957507d71b796a72 (patch)
tree: 94e581c26d29b23d4759899bd733121ac91f9a7a /security-utils
parent: cd3842b54a80279c5af9cb4443074885e73bee0c (diff)
1 files changed, 27 insertions, 1 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java
index 7c487388e2f..2a40d5340ac 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java
@@ -9,6 +9,8 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import java.nio.file.Path;
 import java.time.Duration;
+import java.util.Arrays;
+import java.util.List;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -24,6 +26,17 @@ import java.util.logging.Logger;
 public class ConfigFileManagedTlsContext implements TlsContext {
 
     private static final Duration UPDATE_PERIOD = Duration.ofHours(1);
+    private static final List<String> ALLOWED_CIPHER_SUITS = Arrays.asList(
+            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
 
     private static final Logger log = Logger.getLogger(ConfigFileManagedTlsContext.class.getName());
 
@@ -49,7 +62,20 @@ public class ConfigFileManagedTlsContext implements TlsContext {
     }
 
     public SSLEngine createSslEngine() {
-        return currentSslContext.get().createSSLEngine();
+        SSLEngine sslEngine = currentSslContext.get().createSSLEngine();
+        restrictSetOfEnabledCiphers(sslEngine);
+        return sslEngine;
+    }
+
+    private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine) {
+        String[] validCipherSuits = Arrays.stream(sslEngine.getSupportedCipherSuites())
+                .filter(ALLOWED_CIPHER_SUITS::contains)
+                .toArray(String[]::new);
+        if (validCipherSuits.length == 0) {
+            throw new IllegalStateException("None of the allowed cipher suits are supported");
+        }
+        log.log(Level.FINE, () -> String.format("Allowed cipher suits that are supported: %s", Arrays.toString(validCipherSuits)));
+        sslEngine.setEnabledCipherSuites(validCipherSuits);
     }
 
     private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) {
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-12-03 13:41:50 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-12-05 16:35:35 +0100
commit	7d59528f94fd292b0901aef2957507d71b796a72 (patch)
tree	94e581c26d29b23d4759899bd733121ac91f9a7a /security-utils
parent	cd3842b54a80279c5af9cb4443074885e73bee0c (diff)