diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-12-03 13:41:50 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-12-05 16:35:35 +0100 |
commit | 7d59528f94fd292b0901aef2957507d71b796a72 (patch) | |
tree | 94e581c26d29b23d4759899bd733121ac91f9a7a /security-utils | |
parent | cd3842b54a80279c5af9cb4443074885e73bee0c (diff) |
Only allowed whitelisted cipher suits
Diffstat (limited to 'security-utils')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java index 7c487388e2f..2a40d5340ac 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConfigFileManagedTlsContext.java @@ -9,6 +9,8 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import java.nio.file.Path; import java.time.Duration; +import java.util.Arrays; +import java.util.List; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; @@ -24,6 +26,17 @@ import java.util.logging.Logger; public class ConfigFileManagedTlsContext implements TlsContext { private static final Duration UPDATE_PERIOD = Duration.ofHours(1); + private static final List<String> ALLOWED_CIPHER_SUITS = Arrays.asList( + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"); private static final Logger log = Logger.getLogger(ConfigFileManagedTlsContext.class.getName()); @@ -49,7 +62,20 @@ public class ConfigFileManagedTlsContext implements TlsContext { } public SSLEngine createSslEngine() { - return currentSslContext.get().createSSLEngine(); + SSLEngine sslEngine = currentSslContext.get().createSSLEngine(); + restrictSetOfEnabledCiphers(sslEngine); + return sslEngine; + } + + private static void restrictSetOfEnabledCiphers(SSLEngine sslEngine) { + String[] validCipherSuits = Arrays.stream(sslEngine.getSupportedCipherSuites()) + .filter(ALLOWED_CIPHER_SUITS::contains) + .toArray(String[]::new); + if (validCipherSuits.length == 0) { + throw new IllegalStateException("None of the allowed cipher suits are supported"); + } + log.log(Level.FINE, () -> String.format("Allowed cipher suits that are supported: %s", Arrays.toString(validCipherSuits))); + sslEngine.setEnabledCipherSuites(validCipherSuits); } private static SSLContext createSslContext(Path tlsOptionsConfigFile, PeerAuthorizerTrustManager.Mode mode) { |