From 42122fd8ebc44bac639f28f673448f36a7d50aa3 Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@verizonmedia.com>
Date: Mon, 22 Mar 2021 11:54:01 +0100
Subject: Allow TLS_RSA_WITH_AES_256_GCM_SHA384 in container

---
 .../vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java')

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 9f98fdb4ea2..06e02821544 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -4,10 +4,13 @@ package com.yahoo.vespa.model.container.http.ssl;
 import com.yahoo.config.model.api.EndpointCertificateSecrets;
 import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
+import com.yahoo.security.tls.TlsContext;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 
 import java.time.Duration;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 /**
  * Component specification for {@link com.yahoo.jdisc.http.server.jetty.ConnectorFactory} with hosted specific configuration.
@@ -76,6 +79,11 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         // Disables TLSv1.3 as it causes some browsers to prompt user for client certificate (when connector has 'want' auth)
         connectorBuilder.ssl.enabledProtocols(List.of("TLSv1.2"));
 
+        // Add TLS_RSA_WITH_AES_256_GCM_SHA384 cipher to list of defalt allowed ciphers
+        Set<String> ciphers = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES);
+        ciphers.add("TLS_RSA_WITH_AES_256_GCM_SHA384");
+        connectorBuilder.ssl.enabledCipherSuites(Set.copyOf(ciphers));
+
         connectorBuilder
                 .proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(true))
                 .idleTimeout(Duration.ofMinutes(3).toSeconds())
-- 
cgit v1.2.3