diff options
Diffstat (limited to 'security-utils/src')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java | 16 | ||||
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java | 6 |
2 files changed, 21 insertions, 1 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java index a42c678edab..85841c3e59f 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java @@ -33,6 +33,8 @@ public class DefaultTlsContext implements TlsContext { "TLS_AES_256_GCM_SHA384", // TLSv1.3 "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3 + public static final List<String> ALLOWED_PROTOCOLS = List.of("TLSv1.2"); // TODO Enable TLSv1.3 + private static final Logger log = Logger.getLogger(DefaultTlsContext.class.getName()); private final SSLContext sslContext; @@ -58,6 +60,7 @@ public class DefaultTlsContext implements TlsContext { public SSLEngine createSslEngine() { SSLEngine sslEngine = sslContext.createSSLEngine(); restrictSetOfEnabledCiphers(sslEngine, acceptedCiphers); + restrictTlsProtocols(sslEngine); return sslEngine; } @@ -75,6 +78,19 @@ public class DefaultTlsContext implements TlsContext { sslEngine.setEnabledCipherSuites(validCipherSuites); } + private static void restrictTlsProtocols(SSLEngine sslEngine) { + String[] validProtocols = Arrays.stream(sslEngine.getSupportedProtocols()) + .filter(ALLOWED_PROTOCOLS::contains) + .toArray(String[]::new); + if (validProtocols.length == 0) { + throw new IllegalArgumentException( + String.format("Non of the allowed protocols are supported (allowed-protocols=%s, supported-protocols=%s)", + ALLOWED_PROTOCOLS, Arrays.toString(sslEngine.getSupportedProtocols()))); + } + log.log(Level.FINE, () -> String.format("Allowed protocols that are supported: %s", Arrays.toString(validProtocols))); + sslEngine.setEnabledProtocols(validProtocols); + } + private static SSLContext createSslContext(List<X509Certificate> certificates, PrivateKey privateKey, List<X509Certificate> caCertificates, diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index cfaa7ba06df..656cfa77d61 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -12,6 +12,7 @@ import org.junit.Test; import javax.net.ssl.SSLEngine; import javax.security.auth.x500.X500Principal; +import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Instant; @@ -32,7 +33,7 @@ import static org.assertj.core.api.Assertions.assertThat; public class DefaultTlsContextTest { @Test - public void can_create_sslcontext_from_credentials() { + public void can_create_sslcontext_from_credentials() throws GeneralSecurityException { KeyPair keyPair = KeyUtils.generateKeypair(EC); X509Certificate certificate = X509CertificateBuilder @@ -54,6 +55,9 @@ public class DefaultTlsContextTest { String[] enabledCiphers = sslEngine.getEnabledCipherSuites(); assertThat(enabledCiphers).isNotEmpty(); assertThat(enabledCiphers).isSubsetOf(DefaultTlsContext.ALLOWED_CIPHER_SUITES.toArray(new String[0])); + + String[] enabledProtocols = sslEngine.getEnabledProtocols(); + assertThat(enabledProtocols).contains("TLSv1.2"); } }
\ No newline at end of file |