diff options
16 files changed, 47 insertions, 191 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java index a2611fe3f9d..4f4e21d9f25 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.proxy; -import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; import com.yahoo.jdisc.http.HttpRequest.Method; @@ -70,9 +69,9 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C @Inject public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, ControllerIdentityProvider identityProvider) { - this(SslConnectionSocketFactory.of(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), - Sleeper.DEFAULT, // Specify - new ConnectionReuseStrategy(zoneRegistry)); + this(new SSLConnectionSocketFactory(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)), + Sleeper.DEFAULT, + new ConnectionReuseStrategy(zoneRegistry)); } ConfigServerRestExecutorImpl(SSLConnectionSocketFactory connectionSocketFactory, diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java index 6327a6262ba..4a208aa3794 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.restapi.systemflags; -import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import ai.vespa.util.http.hc4.retry.DelayedConnectionLevelRetryHandler; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; @@ -23,6 +22,7 @@ import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.utils.URIBuilder; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; @@ -100,11 +100,12 @@ class FlagsClient { DelayedConnectionLevelRetryHandler retryHandler = DelayedConnectionLevelRetryHandler.Builder .withExponentialBackoff(Duration.ofSeconds(1), Duration.ofSeconds(20), 5) .build(); + SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory( + identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets)); return HttpClientBuilder.create() .setUserAgent("controller-flags-v1-client") - .setSSLSocketFactory(SslConnectionSocketFactory.of( - identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets))) + .setSSLSocketFactory(connectionSocketFactory) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) .setConnectionRequestTimeout((int) Duration.ofSeconds(10).toMillis()) diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java index 210e32db4c3..5214ded0904 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java @@ -2,17 +2,18 @@ package com.yahoo.vespa.hosted.controller.proxy; import ai.vespa.http.HttpURL.Path; -import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.github.tomakehurst.wiremock.junit5.WireMockExtension; import com.github.tomakehurst.wiremock.stubbing.Scenario; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.yolean.concurrent.Sleeper; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.protocol.HttpContext; import org.apache.http.protocol.HttpCoreContext; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.RegisterExtension; +import javax.net.ssl.SSLContext; import java.io.ByteArrayOutputStream; import java.net.URI; import java.util.HashMap; @@ -37,7 +38,8 @@ public class ConfigServerRestExecutorImplTest { @Test void proxy_with_retries() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of("127.0.0.1")); - var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy); + var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), + Sleeper.NOOP, connectionReuseStrategy); URI url = url(); String path = url.getPath(); @@ -61,7 +63,9 @@ public class ConfigServerRestExecutorImplTest { @Test void proxy_without_connection_reuse() throws Exception { var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of()); - var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy); + var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()), + Sleeper.NOOP, connectionReuseStrategy); + URI url = url(); String path = url.getPath(); stubRequests(path); diff --git a/http-utils/src/main/java/ai/vespa/util/http/AcceptAllHostnamesVerifier.java b/http-utils/src/main/java/ai/vespa/util/http/AcceptAllHostnamesVerifier.java deleted file mode 100644 index 77d718bccb3..00000000000 --- a/http-utils/src/main/java/ai/vespa/util/http/AcceptAllHostnamesVerifier.java +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package ai.vespa.util.http; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLSession; - -/** - * @author bjorncs - */ -public class AcceptAllHostnamesVerifier implements HostnameVerifier { - - private static final AcceptAllHostnamesVerifier INSTANCE = new AcceptAllHostnamesVerifier(); - - public static AcceptAllHostnamesVerifier instance() { return INSTANCE; } - - private AcceptAllHostnamesVerifier() {} - - @Override public boolean verify(String hostname, SSLSession session) { return true; } - -} - diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc4/SslConnectionSocketFactory.java b/http-utils/src/main/java/ai/vespa/util/http/hc4/SslConnectionSocketFactory.java deleted file mode 100644 index 16449a72524..00000000000 --- a/http-utils/src/main/java/ai/vespa/util/http/hc4/SslConnectionSocketFactory.java +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package ai.vespa.util.http.hc4; - -import ai.vespa.util.http.AcceptAllHostnamesVerifier; -import com.yahoo.security.tls.TlsContext; -import org.apache.http.conn.ssl.SSLConnectionSocketFactory; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocketFactory; -import java.util.Collection; - -import static com.yahoo.security.tls.TlsContext.getAllowedCipherSuites; -import static com.yahoo.security.tls.TlsContext.getAllowedProtocols; - -/** - * Provides {@link SSLConnectionSocketFactory} that applies protocol restrictions from {@link TlsContext}. - * - * @author bjorncs - */ -public class SslConnectionSocketFactory { - private SslConnectionSocketFactory() {} - - public static SSLConnectionSocketFactory of(SSLContext ctx, HostnameVerifier verifier) { - return new SSLConnectionSocketFactory(ctx, protocols(ctx), cipherSuites(ctx), verifier); - } - - public static SSLConnectionSocketFactory of(SSLContext ctx) { return of(ctx, defaultVerifier()); } - - public static SSLConnectionSocketFactory of(TlsContext ctx, HostnameVerifier verifier) { - return new SSLConnectionSocketFactory( - ctx.context(), ctx.parameters().getProtocols(), ctx.parameters().getCipherSuites(), verifier); - } - - public static SSLConnectionSocketFactory of(SSLSocketFactory fac, HostnameVerifier verifier) { - return new SSLConnectionSocketFactory(fac, protocols(), cipherSuites(), verifier); - } - - public static SSLConnectionSocketFactory of() { - return new SSLConnectionSocketFactory(TlsContext.defaultSslContext(), protocols(), cipherSuites(), defaultVerifier()); - } - - public static SSLConnectionSocketFactory of(TlsContext ctx) { return of(ctx, defaultVerifier()); } - - public static HostnameVerifier defaultVerifier() { return SSLConnectionSocketFactory.getDefaultHostnameVerifier(); } - - public static HostnameVerifier noopVerifier() { return AcceptAllHostnamesVerifier.instance(); } - - private static String[] cipherSuites(SSLContext ctx) { return array(getAllowedCipherSuites(ctx)); } - private static String[] protocols(SSLContext ctx) { return array(getAllowedProtocols(ctx)); } - private static String[] cipherSuites() { return array(getAllowedCipherSuites()); } - private static String[] protocols() { return array(getAllowedProtocols()); } - private static String[] array(Collection<String> c) { return c.toArray(String[]::new); } -} diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java index af01b123a27..953abcb04bc 100644 --- a/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java +++ b/http-utils/src/main/java/ai/vespa/util/http/hc4/VespaHttpClientBuilder.java @@ -29,8 +29,6 @@ import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger; -import static ai.vespa.util.http.hc4.SslConnectionSocketFactory.noopVerifier; - /** * Http client builder for internal Vespa communications over http/https. * @@ -103,8 +101,9 @@ public class VespaHttpClientBuilder { } } - private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext ctx) { - return SslConnectionSocketFactory.of(ctx, noopVerifier()); + private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext tlsContext) { + SSLParameters parameters = tlsContext.parameters(); + return new SSLConnectionSocketFactory(tlsContext.context(), parameters.getProtocols(), parameters.getCipherSuites(), new NoopHostnameVerifier()); } private static Registry<ConnectionSocketFactory> createRegistry(SSLConnectionSocketFactory sslSocketFactory) { diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java index 8575bc16ee8..8866d67fd60 100644 --- a/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java +++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/DefaultHttpClientBuilder.java @@ -1,12 +1,19 @@ package ai.vespa.util.http.hc5; +import org.apache.hc.client5.http.config.RequestConfig; import org.apache.hc.client5.http.impl.classic.HttpClientBuilder; +import org.apache.hc.client5.http.impl.classic.HttpClients; import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder; import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier; +import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder; +import org.apache.hc.core5.http.ContentType; +import org.apache.hc.core5.http.HttpHeaders; +import org.apache.hc.core5.util.Timeout; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import java.time.Duration; +import java.util.Map; import java.util.function.Supplier; /** @@ -27,12 +34,14 @@ public class DefaultHttpClientBuilder { /** Creates an HTTP client builder with the given SSL context, and using the provided timeouts for requests where config is not overridden. */ public static HttpClientBuilder create(Supplier<SSLContext> sslContext, HostnameVerifier verifier, String userAgent) { - SSLContext ctx = sslContext.get(); - var factory = ctx == null ? SslConnectionSocketFactory.of(verifier) : SslConnectionSocketFactory.of(ctx, verifier); return HttpClientBuilder.create() .setConnectionManager(PoolingHttpClientConnectionManagerBuilder .create() - .setSSLSocketFactory(factory) + .setSSLSocketFactory(SSLConnectionSocketFactoryBuilder + .create() + .setSslContext(sslContext.get()) + .setHostnameVerifier(verifier) + .build()) .build()) .setUserAgent(userAgent) .disableCookieManagement() diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/SslConnectionSocketFactory.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/SslConnectionSocketFactory.java deleted file mode 100644 index 7ba408c260b..00000000000 --- a/http-utils/src/main/java/ai/vespa/util/http/hc5/SslConnectionSocketFactory.java +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package ai.vespa.util.http.hc5; - -import ai.vespa.util.http.AcceptAllHostnamesVerifier; -import com.yahoo.security.tls.TlsContext; -import org.apache.hc.client5.http.ssl.HttpsSupport; -import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSocketFactory; - -import java.util.Collection; - -import static com.yahoo.security.tls.TlsContext.getAllowedCipherSuites; -import static com.yahoo.security.tls.TlsContext.getAllowedProtocols; - -/** - * Provides {@link SSLConnectionSocketFactory} that applies protocol restrictions from {@link TlsContext}. - * - * @author bjorncs - */ -public class SslConnectionSocketFactory { - private SslConnectionSocketFactory() {} - - public static SSLConnectionSocketFactory of(SSLContext ctx, HostnameVerifier verifier) { - return new SSLConnectionSocketFactory(ctx, protocols(ctx), cipherSuites(ctx), verifier); - } - - public static SSLConnectionSocketFactory of(SSLContext ctx) { return of(ctx, defaultVerifier()); } - - public static SSLConnectionSocketFactory of(TlsContext ctx, HostnameVerifier verifier) { - return new SSLConnectionSocketFactory( - ctx.context(), ctx.parameters().getProtocols(), ctx.parameters().getCipherSuites(), verifier); - } - - public static SSLConnectionSocketFactory of(TlsContext ctx) { return of(ctx, defaultVerifier()); } - - public static SSLConnectionSocketFactory of(SSLSocketFactory fac, HostnameVerifier verifier) { - return new SSLConnectionSocketFactory(fac, protocols(), cipherSuites(), verifier); - } - - public static SSLConnectionSocketFactory of(HostnameVerifier verifier) { - return of(TlsContext.defaultSslContext(), verifier); - } - - public static HostnameVerifier defaultVerifier() { return HttpsSupport.getDefaultHostnameVerifier(); } - - public static HostnameVerifier noopVerifier() { return AcceptAllHostnamesVerifier.instance(); } - - private static String[] cipherSuites(SSLContext ctx) { return array(getAllowedCipherSuites(ctx)); } - private static String[] protocols(SSLContext ctx) { return array(getAllowedProtocols(ctx)); } - private static String[] cipherSuites() { return array(getAllowedCipherSuites()); } - private static String[] protocols() { return array(getAllowedProtocols()); } - private static String[] array(Collection<String> c) { return c.toArray(String[]::new); } - -} diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java index a33c4c119c2..52f7ad9b56b 100644 --- a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java +++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java @@ -12,6 +12,7 @@ import org.apache.hc.core5.http.config.Registry; import org.apache.hc.core5.http.config.RegistryBuilder; import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLParameters; import static com.yahoo.security.tls.MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER; import static com.yahoo.security.tls.TransportSecurityUtils.getInsecureMixedMode; @@ -64,7 +65,11 @@ public class VespaHttpClientBuilder { private static void addSslSocketFactory(HttpClientBuilder builder, HttpClientConnectionManagerFactory connectionManagerFactory, HostnameVerifier hostnameVerifier) { getSystemTlsContext().ifPresent(tlsContext -> { - SSLConnectionSocketFactory socketFactory = SslConnectionSocketFactory.of(tlsContext, hostnameVerifier); + SSLParameters parameters = tlsContext.parameters(); + SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(tlsContext.context(), + parameters.getProtocols(), + parameters.getCipherSuites(), + hostnameVerifier); builder.setConnectionManager(connectionManagerFactory.create(createRegistry(socketFactory))); // Workaround that allows re-using https connections, see https://stackoverflow.com/a/42112034/1615280 for details. // Proper solution would be to add a request interceptor that adds a x500 principal as user token, diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java index 61ee612e3de..506ab842cff 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/ConfigServerApiImpl.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.configserver; -import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import com.yahoo.config.provision.HostName; @@ -86,7 +85,7 @@ public class ConfigServerApiImpl implements ConfigServerApi { private ConfigServerApiImpl(Collection<URI> configServers, HostnameVerifier verifier, ServiceIdentityProvider identityProvider) { - this(configServers, createClient(SslConnectionSocketFactory.of(new ServiceIdentitySslSocketFactory(identityProvider), verifier))); + this(configServers, createClient(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(identityProvider), verifier))); } private ConfigServerApiImpl(Collection<URI> configServers, CloseableHttpClient client) { @@ -95,7 +94,7 @@ public class ConfigServerApiImpl implements ConfigServerApi { } public static ConfigServerApiImpl createForTesting(List<URI> configServerHosts) { - return new ConfigServerApiImpl(configServerHosts, createClient(SslConnectionSocketFactory.of())); + return new ConfigServerApiImpl(configServerHosts, createClient(SSLConnectionSocketFactory.getSocketFactory())); } static ConfigServerApiImpl createForTestingWithClient(List<URI> configServerHosts, diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index 9b26b79a960..d91c47e5eed 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -1,8 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; -import com.yahoo.security.tls.TlsContext; - import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; @@ -131,7 +129,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION); + SSLContext sslContext = SSLContext.getInstance("TLS"); X509ExtendedTrustManager trustManager = this.trustManager != null ? this.trustManager : trustManagerFactory.createTrustManager(trustStoreSupplier.get()); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 8e146f36907..b222c8664cc 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -4,8 +4,6 @@ package com.yahoo.security.tls; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; @@ -41,12 +39,7 @@ public interface TlsContext extends AutoCloseable { // TODO Enable TLSv1.3 after upgrading to JDK 17 Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2"); - - /** - * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS} - * @see SSLContext#getInstance(String) - */ - String SSL_CONTEXT_VERSION = "TLSv1.2"; + String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions /** * @return the allowed cipher suites supported by the provided context instance @@ -65,8 +58,6 @@ public interface TlsContext extends AutoCloseable { return enabledCiphers; } - static Set<String> getAllowedCipherSuites() { return getAllowedCipherSuites(defaultSslContext()); } - /** * @return the allowed protocols supported by the provided context instance */ @@ -83,18 +74,6 @@ public interface TlsContext extends AutoCloseable { return enabledProtocols; } - static Set<String> getAllowedProtocols() { return getAllowedProtocols(defaultSslContext()); } - - /** @return Default {@link SSLContext} instance without certificate and using JDK's default trust store */ - static SSLContext defaultSslContext() { - try { - var ctx = SSLContext.getInstance(SSL_CONTEXT_VERSION); - ctx.init(null, null, null); - return ctx; - } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(e); - } catch (KeyManagementException e) { throw new IllegalStateException(e); } - } - SSLContext context(); SSLParameters parameters(); diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml index 8a649154960..f1e6738bdb9 100644 --- a/vespa-athenz/pom.xml +++ b/vespa-athenz/pom.xml @@ -121,12 +121,6 @@ </exclusion> </exclusions> </dependency> - <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>http-utils</artifactId> - <version>${project.version}</version> - <scope>compile</scope> - </dependency> <dependency> <!-- needed by auth-core --> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-impl</artifactId> diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java index f9b422774b4..a49ea166f2d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java @@ -1,7 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.common; -import ai.vespa.util.http.hc4.SslConnectionSocketFactory; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonMappingException; import com.fasterxml.jackson.databind.ObjectMapper; @@ -13,6 +12,7 @@ import org.apache.http.HttpResponse; import org.apache.http.client.ResponseHandler; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; @@ -103,7 +103,7 @@ public abstract class ClientBase implements AutoCloseable { return HttpClientBuilder.create() .setRetryHandler(new DefaultHttpRequestRetryHandler(3, /*requestSentRetryEnabled*/true)) .setUserAgent(userAgent) - .setSSLSocketFactory(SslConnectionSocketFactory.of(new ServiceIdentitySslSocketFactory(sslContextSupplier), hostnameVerifier)) + .setSSLSocketFactory(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(sslContextSupplier), hostnameVerifier)) .setMaxConnPerRoute(8) .setDefaultRequestConfig(RequestConfig.custom() .setConnectTimeout((int) Duration.ofSeconds(10).toMillis()) diff --git a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java index 1855b657a75..2ca4577abe6 100644 --- a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java +++ b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java @@ -85,7 +85,7 @@ class SslContextBuilder { } else if (hasCaCertificateInstance()) { addCaCertificates(keystore, caCertificates); } - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); // Protocol version must match TlsContext.SSL_CONTEXT_VERSION + SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init( createKeyManagers(keystore).orElse(null), createTrustManagers(keystore).orElse(null), diff --git a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java index 95952d37c3c..f7c1b4d2b03 100644 --- a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java +++ b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java @@ -30,6 +30,7 @@ import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Date; +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import static org.junit.jupiter.api.Assertions.assertEquals; /** @@ -57,13 +58,13 @@ class SslContextBuilderTest { .withCaCertificates(certificateFile) .withCertificateAndKey(certificateFile, privateKeyFile) .build()); - assertEquals("TLSv1.2", sslContext.getProtocol()); + assertEquals("TLS", sslContext.getProtocol()); } @Test void successfully_constructs_sslcontext_when_no_builder_parameter_given() { SSLContext sslContext = Assertions.assertDoesNotThrow(() -> new SslContextBuilder().build()); - assertEquals("TLSv1.2", sslContext.getProtocol()); + assertEquals("TLS", sslContext.getProtocol()); } @Test @@ -72,7 +73,7 @@ class SslContextBuilderTest { new SslContextBuilder() .withCertificateAndKey(certificateFile, privateKeyFile) .build()); - assertEquals("TLSv1.2", sslContext.getProtocol()); + assertEquals("TLS", sslContext.getProtocol()); } @Test @@ -81,7 +82,7 @@ class SslContextBuilderTest { new SslContextBuilder() .withCaCertificates(certificateFile) .build()); - assertEquals("TLSv1.2", sslContext.getProtocol()); + assertEquals("TLS", sslContext.getProtocol()); } private static void writePem(Path file, String type, byte[] asn1DerEncodedObject) throws IOException { |