diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2021-05-31 14:03:36 +0200 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2021-05-31 14:03:36 +0200 |
commit | 9d19abe4f78e8139517588aba4ee827d5e0e8227 (patch) | |
tree | 7423c0503fa470ba5ca3c18b80083722d2b0a865 /vespa-feed-client | |
parent | ecdbd088a11be55692baa8ba072648ad651c0d45 (diff) |
Ensure proper cipher suite for HTTP/2 client
Diffstat (limited to 'vespa-feed-client')
-rw-r--r-- | vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java b/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java index 680f080f4a4..2f379bd0778 100644 --- a/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java +++ b/vespa-feed-client/src/main/java/ai/vespa/feed/client/HttpFeedClient.java @@ -13,7 +13,6 @@ import org.apache.hc.core5.http.message.BasicHeader; import org.apache.hc.core5.http2.config.H2Config; import org.apache.hc.core5.net.URIBuilder; import org.apache.hc.core5.reactor.IOReactorConfig; -import org.apache.hc.core5.reactor.ssl.TlsDetails; import org.apache.hc.core5.util.Timeout; import javax.net.ssl.SSLContext; @@ -33,6 +32,8 @@ import java.util.concurrent.atomic.AtomicInteger; import java.util.function.Supplier; import static java.util.Objects.requireNonNull; +import static org.apache.hc.core5.http.ssl.TlsCiphers.excludeH2Blacklisted; +import static org.apache.hc.core5.http.ssl.TlsCiphers.excludeWeak; /** * HTTP implementation of {@link FeedClient} @@ -84,8 +85,14 @@ class HttpFeedClient implements FeedClient { .setPushEnabled(false) .build()); + SSLContext sslContext = constructSslContext(builder); + String[] allowedCiphers = excludeH2Blacklisted(excludeWeak(sslContext.getSupportedSSLParameters().getCipherSuites())); + if (allowedCiphers.length == 0) + throw new IllegalStateException("No adequate SSL cipher suites supported by the JVM"); + ClientTlsStrategyBuilder tlsStrategyBuilder = ClientTlsStrategyBuilder.create() - .setSslContext(constructSslContext(builder)); + .setCiphers(allowedCiphers) + .setSslContext(sslContext); if (builder.hostnameVerifier != null) { tlsStrategyBuilder.setHostnameVerifier(builder.hostnameVerifier); } |