From c0a05a06d4425d94c94b692ab8b0270cacae6fd7 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Mon, 12 Jul 2021 16:14:28 +0200 Subject: Remove TLS_RSA_WITH_AES_256_GCM_SHA384 from default-enabled ciphers on 4443 --- .../vespa/model/container/http/ssl/HostedSslConnectorFactory.java | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java') diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java index 89f200698fa..b25463b8547 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java @@ -9,7 +9,6 @@ import com.yahoo.vespa.model.container.http.ConnectorFactory; import java.time.Duration; import java.util.Collection; -import java.util.HashSet; import java.util.List; import java.util.Set; @@ -91,11 +90,7 @@ public class HostedSslConnectorFactory extends ConnectorFactory { if (!tlsCiphersOverride.isEmpty()) { connectorBuilder.ssl.enabledCipherSuites(tlsCiphersOverride); } else { - // Add TLS_RSA_WITH_AES_256_GCM_SHA384 cipher to list of default allowed ciphers - // TODO Remove TLS_RSA_WITH_AES_256_GCM_SHA384 as it's weak and incompatible with HTTP/2 - Set ciphers = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); - ciphers.add("TLS_RSA_WITH_AES_256_GCM_SHA384"); - connectorBuilder.ssl.enabledCipherSuites(Set.copyOf(ciphers)); + connectorBuilder.ssl.enabledCipherSuites(Set.copyOf(TlsContext.ALLOWED_CIPHER_SUITES)); } connectorBuilder -- cgit v1.2.3