Ensure that HTTPS clients only use allowed ciphers and protocol versions

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-12-19 16:04:48 +0100
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2023-01-06 11:33:59 +0100
commit: 6e162af9a091d2ac1c229281c47349e46d6c8239 (patch)
tree: 7acb73d5a41283608bd07d96e3db7b8b56f87eca /vespa-feed-client
parent: 7d839355259eca823da9396c1ed15b43f7c98768 (diff)
2 files changed, 5 insertions, 6 deletions
diff --git a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java
index 2ca4577abe6..1855b657a75 100644
--- a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java
+++ b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java
@@ -85,7 +85,7 @@ class SslContextBuilder {
             } else if (hasCaCertificateInstance()) {
                 addCaCertificates(keystore, caCertificates);
             }
-            SSLContext sslContext = SSLContext.getInstance("TLS");
+            SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); // Protocol version must match TlsContext.SSL_CONTEXT_VERSION
             sslContext.init(
                     createKeyManagers(keystore).orElse(null),
                     createTrustManagers(keystore).orElse(null),
diff --git a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java
index f7c1b4d2b03..95952d37c3c 100644
--- a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java
+++ b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java
@@ -30,7 +30,6 @@ import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Date;
 
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
@@ -58,13 +57,13 @@ class SslContextBuilderTest {
                         .withCaCertificates(certificateFile)
                         .withCertificateAndKey(certificateFile, privateKeyFile)
                         .build());
-        assertEquals("TLS", sslContext.getProtocol());
+        assertEquals("TLSv1.2", sslContext.getProtocol());
     }
 
     @Test
     void successfully_constructs_sslcontext_when_no_builder_parameter_given() {
         SSLContext sslContext = Assertions.assertDoesNotThrow(() -> new SslContextBuilder().build());
-        assertEquals("TLS", sslContext.getProtocol());
+        assertEquals("TLSv1.2", sslContext.getProtocol());
     }
 
     @Test
@@ -73,7 +72,7 @@ class SslContextBuilderTest {
                 new SslContextBuilder()
                         .withCertificateAndKey(certificateFile, privateKeyFile)
                         .build());
-        assertEquals("TLS", sslContext.getProtocol());
+        assertEquals("TLSv1.2", sslContext.getProtocol());
     }
 
     @Test
@@ -82,7 +81,7 @@ class SslContextBuilderTest {
                 new SslContextBuilder()
                         .withCaCertificates(certificateFile)
                         .build());
-        assertEquals("TLS", sslContext.getProtocol());
+        assertEquals("TLSv1.2", sslContext.getProtocol());
     }
 
     private static void writePem(Path file, String type, byte[] asn1DerEncodedObject) throws IOException {
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-12-19 16:04:48 +0100
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2023-01-06 11:33:59 +0100
commit	6e162af9a091d2ac1c229281c47349e46d6c8239 (patch)
tree	7acb73d5a41283608bd07d96e3db7b8b56f87eca /vespa-feed-client
parent	7d839355259eca823da9396c1ed15b43f7c98768 (diff)