summaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java23
1 files changed, 16 insertions, 7 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index d2a42d21973..250596628ee 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -10,6 +10,7 @@ import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
@@ -40,14 +41,14 @@ public class DefaultTlsContext implements TlsContext {
}
public DefaultTlsContext(SSLContext sslContext, PeerAuthentication peerAuthentication) {
- this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, peerAuthentication);
+ this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES, TlsContext.ALLOWED_PROTOCOLS, peerAuthentication);
}
- DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, PeerAuthentication peerAuthentication) {
+ DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers, Set<String> acceptedProtocols, PeerAuthentication peerAuthentication) {
this.sslContext = sslContext;
this.peerAuthentication = peerAuthentication;
this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers);
- this.validProtocols = getAllowedProtocols(sslContext);
+ this.validProtocols = getAllowedProtocols(sslContext, acceptedProtocols);
}
private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) {
@@ -64,10 +65,18 @@ public class DefaultTlsContext implements TlsContext {
return allowedCiphers;
}
- private static String[] getAllowedProtocols(SSLContext sslContext) {
- Set<String> allowedProtocols = TlsContext.getAllowedProtocols(sslContext);
- log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", com.yahoo.vespa.jdk8compat.List.of(allowedProtocols)));
- return com.yahoo.vespa.jdk8compat.Collection.toArray(allowedProtocols, String[]::new);
+ private static String[] getAllowedProtocols(SSLContext sslContext, Set<String> acceptedProtocols) {
+ Set<String> supportedProtocols = TlsContext.getAllowedProtocols(sslContext);
+ String[] allowedProtocols = supportedProtocols.stream()
+ .filter(acceptedProtocols::contains)
+ .toArray(String[]::new);
+ if (allowedProtocols.length == 0) {
+ throw new IllegalStateException(
+ String.format("None of the accepted protocols are supported (supported=%s, accepted=%s)",
+ supportedProtocols, acceptedProtocols));
+ }
+ log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(allowedProtocols)));
+ return allowedProtocols;
}
@Override