Ensure that HTTPS clients only use allowed ciphers and protocol versions

2 files changed, 25 insertions, 2 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
index d91c47e5eed..9b26b79a960 100644
--- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
@@ -1,6 +1,8 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.security;
 
+import com.yahoo.security.tls.TlsContext;
+
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
@@ -129,7 +131,7 @@ public class SslContextBuilder {
 
     public SSLContext build() {
         try {
-            SSLContext sslContext = SSLContext.getInstance("TLS");
+            SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION);
             X509ExtendedTrustManager trustManager = this.trustManager != null
                     ? this.trustManager
                     : trustManagerFactory.createTrustManager(trustStoreSupplier.get());
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index b222c8664cc..8e146f36907 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -4,6 +4,8 @@ package com.yahoo.security.tls;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
@@ -39,7 +41,12 @@ public interface TlsContext extends AutoCloseable {
 
     // TODO Enable TLSv1.3 after upgrading to JDK 17
     Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2");
-    String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions
+
+    /** 
+     * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS}
+     * @see SSLContext#getInstance(String)
+     */
+    String SSL_CONTEXT_VERSION = "TLSv1.2";
 
     /**
      * @return the allowed cipher suites supported by the provided context instance
@@ -58,6 +65,8 @@ public interface TlsContext extends AutoCloseable {
         return enabledCiphers;
     }
 
+    static Set<String> getAllowedCipherSuites() { return getAllowedCipherSuites(defaultSslContext()); }
+
     /**
      * @return the allowed protocols supported by the provided context instance
      */
@@ -74,6 +83,18 @@ public interface TlsContext extends AutoCloseable {
         return enabledProtocols;
     }
 
+    static Set<String> getAllowedProtocols() { return getAllowedProtocols(defaultSslContext()); }
+
+    /** @return Default {@link SSLContext} instance without certificate and using JDK's default trust store */
+    static SSLContext defaultSslContext() {
+        try {
+            var ctx = SSLContext.getInstance(SSL_CONTEXT_VERSION);
+            ctx.init(null, null, null);
+            return ctx;
+        } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(e);
+        } catch (KeyManagementException e) { throw new IllegalStateException(e); }
+    }
+
     SSLContext context();
 
     SSLParameters parameters();