diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index d2a42d21973..250596628ee 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -10,6 +10,7 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.util.Arrays; import java.util.List; import java.util.Set; import java.util.logging.Level; @@ -40,14 +41,14 @@ public class DefaultTlsContext implements TlsContext { } public DefaultTlsContext(SSLContext sslContext, PeerAuthentication peerAuthentication) { - this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, peerAuthentication); + this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, TlsContext.ALLOWED_PROTOCOLS, peerAuthentication); } - DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, PeerAuthentication peerAuthentication) { + DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, Set<String> acceptedProtocols, PeerAuthentication peerAuthentication) { this.sslContext = sslContext; this.peerAuthentication = peerAuthentication; this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers); - this.validProtocols = getAllowedProtocols(sslContext); + this.validProtocols = getAllowedProtocols(sslContext, acceptedProtocols); } private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) { @@ -64,10 +65,18 @@ public class DefaultTlsContext implements TlsContext { return allowedCiphers; } - private static String[] getAllowedProtocols(SSLContext sslContext) { - Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sslContext); - log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", com.yahoo.vespa.jdk8compat.List.of(allowedProtocols))); - return com.yahoo.vespa.jdk8compat.Collection.toArray(allowedProtocols, String[]::new); + private static String[] getAllowedProtocols(SSLContext sslContext, Set<String> acceptedProtocols) { + Set<String> supportedProtocols = TlsContext.getAllowedProtocols(sslContext); + String[] allowedProtocols = supportedProtocols.stream() + .filter(acceptedProtocols::contains) + .toArray(String[]::new); + if (allowedProtocols.length == 0) { + throw new IllegalStateException( + String.format("None of the accepted protocols are supported (supported=%s, accepted=%s)", + supportedProtocols, acceptedProtocols)); + } + log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(allowedProtocols))); + return allowedProtocols; } @Override |