Ensure proper cipher suite for HTTP/2 client

author: Jon Marius Venstad <venstad@gmail.com> 2021-05-31 14:03:36 +0200
committer: Jon Marius Venstad <venstad@gmail.com> 2021-05-31 14:03:36 +0200
commit: 9d19abe4f78e8139517588aba4ee827d5e0e8227 (patch)
tree: 7423c0503fa470ba5ca3c18b80083722d2b0a865 /vespa-feed-client
parent: ecdbd088a11be55692baa8ba072648ad651c0d45 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java b/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java
index 680f080f4a4..2f379bd0778 100644
--- a/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java
+++ b/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java
@@ -13,7 +13,6 @@ import org.apache.hc.core5.http.message.BasicHeader;
 import org.apache.hc.core5.http2.config.H2Config;
 import org.apache.hc.core5.net.URIBuilder;
 import org.apache.hc.core5.reactor.IOReactorConfig;
-import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.util.Timeout;
 
 import javax.net.ssl.SSLContext;
@@ -33,6 +32,8 @@ import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.Supplier;
 
 import static java.util.Objects.requireNonNull;
+import static org.apache.hc.core5.http.ssl.TlsCiphers.excludeH2Blacklisted;
+import static org.apache.hc.core5.http.ssl.TlsCiphers.excludeWeak;
 
 /**
  * HTTP implementation of {@link FeedClient}
@@ -84,8 +85,14 @@ class HttpFeedClient implements FeedClient {
                                                                                           .setPushEnabled(false)
                                                                                           .build());
 
+        SSLContext sslContext = constructSslContext(builder);
+        String[] allowedCiphers = excludeH2Blacklisted(excludeWeak(sslContext.getSupportedSSLParameters().getCipherSuites()));
+        if (allowedCiphers.length == 0)
+            throw new IllegalStateException("No adequate SSL cipher suites supported by the JVM");
+
         ClientTlsStrategyBuilder tlsStrategyBuilder = ClientTlsStrategyBuilder.create()
-                                                                              .setSslContext(constructSslContext(builder));
+                                                                              .setCiphers(allowedCiphers)
+                                                                              .setSslContext(sslContext);
         if (builder.hostnameVerifier != null) {
             tlsStrategyBuilder.setHostnameVerifier(builder.hostnameVerifier);
         }
author	Jon Marius Venstad <venstad@gmail.com>	2021-05-31 14:03:36 +0200
committer	Jon Marius Venstad <venstad@gmail.com>	2021-05-31 14:03:36 +0200
commit	9d19abe4f78e8139517588aba4ee827d5e0e8227 (patch)
tree	7423c0503fa470ba5ca3c18b80083722d2b0a865 /vespa-feed-client
parent	ecdbd088a11be55692baa8ba072648ad651c0d45 (diff)