diff options
16 files changed, 191 insertions, 47 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index 4f4e21d9f25..a2611fe3f9d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.proxy; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; import com.yahoo.jdisc.http.HttpRequest.Method; @@ -69,9 +70,9 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C @Inject public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, ControllerIdentityProvider identityProvider) { - this(new SSLConnectionSocketFactory(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), - Sleeper.DEFAULT, - new ConnectionReuseStrategy(zoneRegistry)); + this(SslConnectionSocketFactory.of(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), + Sleeper.DEFAULT, // Specify + new ConnectionReuseStrategy(zoneRegistry)); } ConfigServerRestExecutorImpl(SSLConnectionSocketFactory connectionSocketFactory, diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java index 4a208aa3794..6327a6262ba 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.restapi.systemflags; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import ai.vespa.util.http.hc4.retry.DelayedConnectionLevelRetryHandler; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; @@ -22,7 +23,6 @@ import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.utils.URIBuilder; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; @@ -100,12 +100,11 @@ class FlagsClient { DelayedConnectionLevelRetryHandler retryHandler = DelayedConnectionLevelRetryHandler.Builder .withExponentialBackoff(Duration.ofSeconds(1), Duration.ofSeconds(20), 5) .build(); - SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory( - identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets)); return HttpClientBuilder.create() .setUserAgent("controller-flags-v1-client") - .setSSLSocketFactory(connectionSocketFactory) + .setSSLSocketFactory(SslConnectionSocketFactory.of( + identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets))) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) .setConnectionRequestTimeout((int) Duration.ofSeconds(10).toMillis()) diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java index 5214ded0904..210e32db4c3 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java @@ -2,18 +2,17 @@ package com.yahoo.vespa.hosted.controller.proxy; import ai.vespa.http.HttpURL.Path; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.github.tomakehurst.wiremock.junit5.WireMockExtension; import com.github.tomakehurst.wiremock.stubbing.Scenario; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.yolean.concurrent.Sleeper; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpCoreContext; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.RegisterExtension; -import javax.net.ssl.SSLContext; import java.io.ByteArrayOutputStream; import java.net.URI; import java.util.HashMap; @@ -38,8 +37,7 @@ public class ConfigServerRestExecutorImplTest { @Test void proxy_with_retries() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of("127.0.0.1")); - var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), - Sleeper.NOOP, connectionReuseStrategy); + var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy); URI url = url(); String path = url.getPath(); @@ -63,9 +61,7 @@ public class ConfigServerRestExecutorImplTest { @Test void proxy_without_connection_reuse() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of()); - var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), - Sleeper.NOOP, connectionReuseStrategy); - + var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy); URI url = url(); String path = url.getPath(); stubRequests(path); diff --git a/http-utils/src/main/java/ai/vespa/util/http/AcceptAllHostnamesVerifier.java b/http-utils/src/main/java/ai/vespa/util/http/AcceptAllHostnamesVerifier.java new file mode 100644 index 00000000000..77d718bccb3 --- /dev/null +++ b/http-utils/src/main/java/ai/vespa/util/http/AcceptAllHostnamesVerifier.java @@ -0,0 +1,21 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package ai.vespa.util.http; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLSession; + +/** + * @author bjorncs + */ +public class AcceptAllHostnamesVerifier implements HostnameVerifier { + + private static final AcceptAllHostnamesVerifier INSTANCE = new AcceptAllHostnamesVerifier(); + + public static AcceptAllHostnamesVerifier instance() { return INSTANCE; } + + private AcceptAllHostnamesVerifier() {} + + @Override public boolean verify(String hostname, SSLSession session) { return true; } + +} + diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc4/SslConnectionSocketFactory.java b/http-utils/src/main/java/ai/vespa/util/http/hc4/SslConnectionSocketFactory.java new file mode 100644 index 00000000000..16449a72524 --- /dev/null +++ b/http-utils/src/main/java/ai/vespa/util/http/hc4/SslConnectionSocketFactory.java @@ -0,0 +1,54 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package ai.vespa.util.http.hc4; + +import ai.vespa.util.http.AcceptAllHostnamesVerifier; +import com.yahoo.security.tls.TlsContext; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; +import java.util.Collection; + +import static com.yahoo.security.tls.TlsContext.getAllowedCipherSuites; +import static com.yahoo.security.tls.TlsContext.getAllowedProtocols; + +/** + * Provides {@link SSLConnectionSocketFactory} that applies protocol restrictions from {@link TlsContext}. + * + * @author bjorncs + */ +public class SslConnectionSocketFactory { + private SslConnectionSocketFactory() {} + + public static SSLConnectionSocketFactory of(SSLContext ctx, HostnameVerifier verifier) { + return new SSLConnectionSocketFactory(ctx, protocols(ctx), cipherSuites(ctx), verifier); + } + + public static SSLConnectionSocketFactory of(SSLContext ctx) { return of(ctx, defaultVerifier()); } + + public static SSLConnectionSocketFactory of(TlsContext ctx, HostnameVerifier verifier) { + return new SSLConnectionSocketFactory( + ctx.context(), ctx.parameters().getProtocols(), ctx.parameters().getCipherSuites(), verifier); + } + + public static SSLConnectionSocketFactory of(SSLSocketFactory fac, HostnameVerifier verifier) { + return new SSLConnectionSocketFactory(fac, protocols(), cipherSuites(), verifier); + } + + public static SSLConnectionSocketFactory of() { + return new SSLConnectionSocketFactory(TlsContext.defaultSslContext(), protocols(), cipherSuites(), defaultVerifier()); + } + + public static SSLConnectionSocketFactory of(TlsContext ctx) { return of(ctx, defaultVerifier()); } + + public static HostnameVerifier defaultVerifier() { return SSLConnectionSocketFactory.getDefaultHostnameVerifier(); } + + public static HostnameVerifier noopVerifier() { return AcceptAllHostnamesVerifier.instance(); } + + private static String[] cipherSuites(SSLContext ctx) { return array(getAllowedCipherSuites(ctx)); } + private static String[] protocols(SSLContext ctx) { return array(getAllowedProtocols(ctx)); } + private static String[] cipherSuites() { return array(getAllowedCipherSuites()); } + private static String[] protocols() { return array(getAllowedProtocols()); } + private static String[] array(Collection<String> c) { return c.toArray(String[]::new); } +} diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java index 953abcb04bc..af01b123a27 100644 --- a/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java +++ b/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java @@ -29,6 +29,8 @@ import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger; +import static ai.vespa.util.http.hc4.SslConnectionSocketFactory.noopVerifier; + /** * Http client builder for internal Vespa communications over http/https. * @@ -101,9 +103,8 @@ public class VespaHttpClientBuilder { } } - private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext tlsContext) { - SSLParameters parameters = tlsContext.parameters(); - return new SSLConnectionSocketFactory(tlsContext.context(), parameters.getProtocols(), parameters.getCipherSuites(), new NoopHostnameVerifier()); + private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext ctx) { + return SslConnectionSocketFactory.of(ctx, noopVerifier()); } private static Registry<ConnectionSocketFactory> createRegistry(SSLConnectionSocketFactory sslSocketFactory) { diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java index 8866d67fd60..8575bc16ee8 100644 --- a/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java +++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java @@ -1,19 +1,12 @@ package ai.vespa.util.http.hc5; -import org.apache.hc.client5.http.config.RequestConfig; import org.apache.hc.client5.http.impl.classic.HttpClientBuilder; -import org.apache.hc.client5.http.impl.classic.HttpClients; import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder; import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier; -import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder; -import org.apache.hc.core5.http.ContentType; -import org.apache.hc.core5.http.HttpHeaders; -import org.apache.hc.core5.util.Timeout; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.time.Duration; -import java.util.Map; import java.util.function.Supplier; /** @@ -34,14 +27,12 @@ public class DefaultHttpClientBuilder { /** Creates an HTTP client builder with the given SSL context, and using the provided timeouts for requests where config is not overridden. */ public static HttpClientBuilder create(Supplier<SSLContext> sslContext, HostnameVerifier verifier, String userAgent) { + SSLContext ctx = sslContext.get(); + var factory = ctx == null ? SslConnectionSocketFactory.of(verifier) : SslConnectionSocketFactory.of(ctx, verifier); return HttpClientBuilder.create() .setConnectionManager(PoolingHttpClientConnectionManagerBuilder .create() - .setSSLSocketFactory(SSLConnectionSocketFactoryBuilder - .create() - .setSslContext(sslContext.get()) - .setHostnameVerifier(verifier) - .build()) + .setSSLSocketFactory(factory) .build()) .setUserAgent(userAgent) .disableCookieManagement() diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/SslConnectionSocketFactory.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/SslConnectionSocketFactory.java new file mode 100644 index 00000000000..7ba408c260b --- /dev/null +++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/SslConnectionSocketFactory.java @@ -0,0 +1,57 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package ai.vespa.util.http.hc5; + +import ai.vespa.util.http.AcceptAllHostnamesVerifier; +import com.yahoo.security.tls.TlsContext; +import org.apache.hc.client5.http.ssl.HttpsSupport; +import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; + +import java.util.Collection; + +import static com.yahoo.security.tls.TlsContext.getAllowedCipherSuites; +import static com.yahoo.security.tls.TlsContext.getAllowedProtocols; + +/** + * Provides {@link SSLConnectionSocketFactory} that applies protocol restrictions from {@link TlsContext}. + * + * @author bjorncs + */ +public class SslConnectionSocketFactory { + private SslConnectionSocketFactory() {} + + public static SSLConnectionSocketFactory of(SSLContext ctx, HostnameVerifier verifier) { + return new SSLConnectionSocketFactory(ctx, protocols(ctx), cipherSuites(ctx), verifier); + } + + public static SSLConnectionSocketFactory of(SSLContext ctx) { return of(ctx, defaultVerifier()); } + + public static SSLConnectionSocketFactory of(TlsContext ctx, HostnameVerifier verifier) { + return new SSLConnectionSocketFactory( + ctx.context(), ctx.parameters().getProtocols(), ctx.parameters().getCipherSuites(), verifier); + } + + public static SSLConnectionSocketFactory of(TlsContext ctx) { return of(ctx, defaultVerifier()); } + + public static SSLConnectionSocketFactory of(SSLSocketFactory fac, HostnameVerifier verifier) { + return new SSLConnectionSocketFactory(fac, protocols(), cipherSuites(), verifier); + } + + public static SSLConnectionSocketFactory of(HostnameVerifier verifier) { + return of(TlsContext.defaultSslContext(), verifier); + } + + public static HostnameVerifier defaultVerifier() { return HttpsSupport.getDefaultHostnameVerifier(); } + + public static HostnameVerifier noopVerifier() { return AcceptAllHostnamesVerifier.instance(); } + + private static String[] cipherSuites(SSLContext ctx) { return array(getAllowedCipherSuites(ctx)); } + private static String[] protocols(SSLContext ctx) { return array(getAllowedProtocols(ctx)); } + private static String[] cipherSuites() { return array(getAllowedCipherSuites()); } + private static String[] protocols() { return array(getAllowedProtocols()); } + private static String[] array(Collection<String> c) { return c.toArray(String[]::new); } + +} diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java index 52f7ad9b56b..a33c4c119c2 100644 --- a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java +++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java @@ -12,7 +12,6 @@ import org.apache.hc.core5.http.config.Registry; import org.apache.hc.core5.http.config.RegistryBuilder; import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLParameters; import static com.yahoo.security.tls.MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER; import static com.yahoo.security.tls.TransportSecurityUtils.getInsecureMixedMode; @@ -65,11 +64,7 @@ public class VespaHttpClientBuilder { private static void addSslSocketFactory(HttpClientBuilder builder, HttpClientConnectionManagerFactory connectionManagerFactory, HostnameVerifier hostnameVerifier) { getSystemTlsContext().ifPresent(tlsContext -> { - SSLParameters parameters = tlsContext.parameters(); - SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(tlsContext.context(), - parameters.getProtocols(), - parameters.getCipherSuites(), - hostnameVerifier); + SSLConnectionSocketFactory socketFactory = SslConnectionSocketFactory.of(tlsContext, hostnameVerifier); builder.setConnectionManager(connectionManagerFactory.create(createRegistry(socketFactory))); // Workaround that allows re-using https connections, see https://stackoverflow.com/a/42112034/1615280 for details. // Proper solution would be to add a request interceptor that adds a x500 principal as user token, diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java index 506ab842cff..61ee612e3de 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.configserver; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import com.yahoo.config.provision.HostName; @@ -85,7 +86,7 @@ public class ConfigServerApiImpl implements ConfigServerApi { private ConfigServerApiImpl(Collection<URI> configServers, HostnameVerifier verifier, ServiceIdentityProvider identityProvider) { - this(configServers, createClient(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(identityProvider), verifier))); + this(configServers, createClient(SslConnectionSocketFactory.of(new ServiceIdentitySslSocketFactory(identityProvider), verifier))); } private ConfigServerApiImpl(Collection<URI> configServers, CloseableHttpClient client) { @@ -94,7 +95,7 @@ public class ConfigServerApiImpl implements ConfigServerApi { } public static ConfigServerApiImpl createForTesting(List<URI> configServerHosts) { - return new ConfigServerApiImpl(configServerHosts, createClient(SSLConnectionSocketFactory.getSocketFactory())); + return new ConfigServerApiImpl(configServerHosts, createClient(SslConnectionSocketFactory.of())); } static ConfigServerApiImpl createForTestingWithClient(List<URI> configServerHosts, diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index d91c47e5eed..9b26b79a960 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; +import com.yahoo.security.tls.TlsContext; + import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; @@ -129,7 +131,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance("TLS"); + SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION); X509ExtendedTrustManager trustManager = this.trustManager != null ? this.trustManager : trustManagerFactory.createTrustManager(trustStoreSupplier.get()); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index b222c8664cc..8e146f36907 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -4,6 +4,8 @@ package com.yahoo.security.tls; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; @@ -39,7 +41,12 @@ public interface TlsContext extends AutoCloseable { // TODO Enable TLSv1.3 after upgrading to JDK 17 Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2"); - String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions + + /** + * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS} + * @see SSLContext#getInstance(String) + */ + String SSL_CONTEXT_VERSION = "TLSv1.2"; /** * @return the allowed cipher suites supported by the provided context instance @@ -58,6 +65,8 @@ public interface TlsContext extends AutoCloseable { return enabledCiphers; } + static Set<String> getAllowedCipherSuites() { return getAllowedCipherSuites(defaultSslContext()); } + /** * @return the allowed protocols supported by the provided context instance */ @@ -74,6 +83,18 @@ public interface TlsContext extends AutoCloseable { return enabledProtocols; } + static Set<String> getAllowedProtocols() { return getAllowedProtocols(defaultSslContext()); } + + /** @return Default {@link SSLContext} instance without certificate and using JDK's default trust store */ + static SSLContext defaultSslContext() { + try { + var ctx = SSLContext.getInstance(SSL_CONTEXT_VERSION); + ctx.init(null, null, null); + return ctx; + } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(e); + } catch (KeyManagementException e) { throw new IllegalStateException(e); } + } + SSLContext context(); SSLParameters parameters(); diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml index f1e6738bdb9..8a649154960 100644 --- a/vespa-athenz/pom.xml +++ b/vespa-athenz/pom.xml @@ -121,6 +121,12 @@ </exclusion> </exclusions> </dependency> + <dependency> + <groupId>com.yahoo.vespa</groupId> + <artifactId>http-utils</artifactId> + <version>${project.version}</version> + <scope>compile</scope> + </dependency> <dependency> <!-- needed by auth-core --> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-impl</artifactId> diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java index a49ea166f2d..f9b422774b4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.common; +import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonMappingException; import com.fasterxml.jackson.databind.ObjectMapper; @@ -12,7 +13,6 @@ import org.apache.http.HttpResponse; import org.apache.http.client.ResponseHandler; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpUriRequest; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; @@ -103,7 +103,7 @@ public abstract class ClientBase implements AutoCloseable { return HttpClientBuilder.create() .setRetryHandler(new DefaultHttpRequestRetryHandler(3, /*requestSentRetryEnabled*/true)) .setUserAgent(userAgent) - .setSSLSocketFactory(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(sslContextSupplier), hostnameVerifier)) + .setSSLSocketFactory(SslConnectionSocketFactory.of(new ServiceIdentitySslSocketFactory(sslContextSupplier), hostnameVerifier)) .setMaxConnPerRoute(8) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) diff --git a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java index 2ca4577abe6..1855b657a75 100644 --- a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java +++ b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java @@ -85,7 +85,7 @@ class SslContextBuilder { } else if (hasCaCertificateInstance()) { addCaCertificates(keystore, caCertificates); } - SSLContext sslContext = SSLContext.getInstance("TLS"); + SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); // Protocol version must match TlsContext.SSL_CONTEXT_VERSION sslContext.init( createKeyManagers(keystore).orElse(null), createTrustManagers(keystore).orElse(null), diff --git a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java index f7c1b4d2b03..95952d37c3c 100644 --- a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java +++ b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java @@ -30,7 +30,6 @@ import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Date; -import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import static org.junit.jupiter.api.Assertions.assertEquals; /** @@ -58,13 +57,13 @@ class SslContextBuilderTest { .withCaCertificates(certificateFile) .withCertificateAndKey(certificateFile, privateKeyFile) .build()); - assertEquals("TLS", sslContext.getProtocol()); + assertEquals("TLSv1.2", sslContext.getProtocol()); } @Test void successfully_constructs_sslcontext_when_no_builder_parameter_given() { SSLContext sslContext = Assertions.assertDoesNotThrow(() -> new SslContextBuilder().build()); - assertEquals("TLS", sslContext.getProtocol()); + assertEquals("TLSv1.2", sslContext.getProtocol()); } @Test @@ -73,7 +72,7 @@ class SslContextBuilderTest { new SslContextBuilder() .withCertificateAndKey(certificateFile, privateKeyFile) .build()); - assertEquals("TLS", sslContext.getProtocol()); + assertEquals("TLSv1.2", sslContext.getProtocol()); } @Test @@ -82,7 +81,7 @@ class SslContextBuilderTest { new SslContextBuilder() .withCaCertificates(certificateFile) .build()); - assertEquals("TLS", sslContext.getProtocol()); + assertEquals("TLSv1.2", sslContext.getProtocol()); } private static void writePem(Path file, String type, byte[] asn1DerEncodedObject) throws IOException { |