Restrict enabled protocols

2 files changed, 21 insertions, 1 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index a42c678edab..85841c3e59f 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -33,6 +33,8 @@ public class DefaultTlsContext implements TlsContext {
             "TLS_AES_256_GCM_SHA384", // TLSv1.3
             "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3
 
+    public static final List<String> ALLOWED_PROTOCOLS = List.of("TLSv1.2"); // TODO Enable TLSv1.3
+
     private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName());
 
     private final SSLContext sslContext;
@@ -58,6 +60,7 @@ public class DefaultTlsContext implements TlsContext {
     public SSLEngine createSslEngine() {
         SSLEngine sslEngine = sslContext.createSSLEngine();
         restrictSetOfEnabledCiphers(sslEngine, acceptedCiphers);
+        restrictTlsProtocols(sslEngine);
         return sslEngine;
     }
 
@@ -75,6 +78,19 @@ public class DefaultTlsContext implements TlsContext {
         sslEngine.setEnabledCipherSuites(validCipherSuites);
     }
 
+    private static void restrictTlsProtocols(SSLEngine sslEngine) {
+        String[] validProtocols = Arrays.stream(sslEngine.getSupportedProtocols())
+                .filter(ALLOWED_PROTOCOLS::contains)
+                .toArray(String[]::new);
+        if (validProtocols.length == 0) {
+            throw new IllegalArgumentException(
+                    String.format("Non of the allowed protocols are supported (allowed-protocols=%s, supported-protocols=%s)",
+                                  ALLOWED_PROTOCOLS, Arrays.toString(sslEngine.getSupportedProtocols())));
+        }
+        log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(validProtocols)));
+        sslEngine.setEnabledProtocols(validProtocols);
+    }
+
     private static SSLContext createSslContext(List<X509Certificate> certificates,
                                                PrivateKey privateKey,
                                                List<X509Certificate> caCertificates,
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index cfaa7ba06df..656cfa77d61 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -12,6 +12,7 @@ import org.junit.Test;
 
 import javax.net.ssl.SSLEngine;
 import javax.security.auth.x500.X500Principal;
+import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
@@ -32,7 +33,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 public class DefaultTlsContextTest {
 
     @Test
-    public void can_create_sslcontext_from_credentials() {
+    public void can_create_sslcontext_from_credentials() throws GeneralSecurityException {
         KeyPair keyPair = KeyUtils.generateKeypair(EC);
 
         X509Certificate certificate = X509CertificateBuilder
@@ -54,6 +55,9 @@ public class DefaultTlsContextTest {
         String[] enabledCiphers = sslEngine.getEnabledCipherSuites();
         assertThat(enabledCiphers).isNotEmpty();
         assertThat(enabledCiphers).isSubsetOf(DefaultTlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0]));
+
+        String[] enabledProtocols = sslEngine.getEnabledProtocols();
+        assertThat(enabledProtocols).contains("TLSv1.2");
     }
 
 }
\ No newline at end of file