diff options
Diffstat (limited to 'jrt')
-rw-r--r-- | jrt/src/com/yahoo/jrt/TlsCryptoEngine.java | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java index b3daf5c296d..25a154be107 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoEngine.java @@ -2,17 +2,15 @@ package com.yahoo.jrt; import com.yahoo.security.SslContextBuilder; -import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.TransportSecurityOptions; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; -import java.io.IOException; -import java.io.UncheckedIOException; import java.nio.channels.SocketChannel; -import java.nio.file.Files; -import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collections; import java.util.List; +import java.util.logging.Logger; /** * A {@link CryptoSocket} that creates {@link TlsCryptoSocket} instances. @@ -21,21 +19,33 @@ import java.util.List; */ public class TlsCryptoEngine implements CryptoEngine { + private static final Logger log = Logger.getLogger(TlsCryptoEngine.class.getName()); + private final SSLContext sslContext; + private final List<String> acceptedCiphers; public TlsCryptoEngine(SSLContext sslContext) { + this(sslContext, Collections.emptyList()); + } + + public TlsCryptoEngine(SSLContext sslContext, List<String> acceptedCiphers) { this.sslContext = sslContext; + this.acceptedCiphers = acceptedCiphers; } public TlsCryptoEngine(TransportSecurityOptions options) { - this(createSslContext(options)); + this(createSslContext(options), options.getAcceptedCiphers()); } @Override public TlsCryptoSocket createCryptoSocket(SocketChannel channel, boolean isServer) { SSLEngine sslEngine = sslContext.createSSLEngine(); + log.fine(() -> String.format("Supported ciphers: %s", Arrays.toString(sslEngine.getSupportedCipherSuites()))); sslEngine.setNeedClientAuth(true); sslEngine.setUseClientMode(!isServer); + if (!acceptedCiphers.isEmpty()) { + sslEngine.setEnabledCipherSuites(acceptedCiphers.toArray(new String[0])); + } return new TlsCryptoSocket(channel, sslEngine); } |