Remove more cipher suites not supported by Java 11 from set configured for use by ZooKeeper

1 files changed, 10 insertions, 1 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 5253e9e6a7e..6ad5f6c3612 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -13,7 +13,16 @@ import java.util.Set;
  */
 public interface TlsContext extends AutoCloseable {
 
-    // TODO: Where does this set come from?
+    /**
+     * Handpicked subset of supported ciphers from https://www.openssl.org/docs/manmaster/man1/ciphers.html
+     * based on Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS
+     * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM.
+     * For TLSv1.3 we allow the DEFAULT group ciphers.
+     * Note that we _only_ allow AEAD ciphers for either TLS version.
+     */
+    // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256?
+    // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
     Set<String> ALLOWED_CIPHER_SUITES = Set.of(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",