From 4bb0999694a314b8daebe179db39c1fe48cca21d Mon Sep 17 00:00:00 2001
From: Andreas Eriksen <andreer@yahooinc.com>
Date: Fri, 6 Jan 2023 17:16:35 +0100
Subject: Revert "Ensure that HTTPS clients only use allowed ciphers and
 protocol versions" (#25436)

---
 .../hosted/controller/proxy/ConfigServerRestExecutorImpl.java  |  7 +++----
 .../hosted/controller/restapi/systemflags/FlagsClient.java     |  7 ++++---
 .../controller/proxy/ConfigServerRestExecutorImplTest.java     | 10 +++++++---
 3 files changed, 14 insertions(+), 10 deletions(-)

(limited to 'controller-server')

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
index a2611fe3f9d..4f4e21d9f25 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImpl.java
@@ -1,7 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.proxy;
 
-import ai.vespa.util.http.hc4.SslConnectionSocketFactory;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.component.annotation.Inject;
 import com.yahoo.jdisc.http.HttpRequest.Method;
@@ -70,9 +69,9 @@ public class ConfigServerRestExecutorImpl extends AbstractComponent implements C
 
     @Inject
     public ConfigServerRestExecutorImpl(ZoneRegistry zoneRegistry, ControllerIdentityProvider identityProvider) {
-        this(SslConnectionSocketFactory.of(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)),
-             Sleeper.DEFAULT, // Specify
-             new ConnectionReuseStrategy(zoneRegistry));
+        this(new SSLConnectionSocketFactory(identityProvider.getConfigServerSslSocketFactory(), new ControllerOrConfigserverHostnameVerifier(zoneRegistry)),
+                Sleeper.DEFAULT,
+                new ConnectionReuseStrategy(zoneRegistry));
     }
 
     ConfigServerRestExecutorImpl(SSLConnectionSocketFactory connectionSocketFactory,
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java
index 6327a6262ba..4a208aa3794 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/systemflags/FlagsClient.java
@@ -1,7 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.restapi.systemflags;
 
-import ai.vespa.util.http.hc4.SslConnectionSocketFactory;
 import ai.vespa.util.http.hc4.retry.DelayedConnectionLevelRetryHandler;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -23,6 +22,7 @@ import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.entity.ContentType;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -100,11 +100,12 @@ class FlagsClient {
         DelayedConnectionLevelRetryHandler retryHandler = DelayedConnectionLevelRetryHandler.Builder
                 .withExponentialBackoff(Duration.ofSeconds(1), Duration.ofSeconds(20), 5)
                 .build();
+        SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory(
+                identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets));
 
         return HttpClientBuilder.create()
                 .setUserAgent("controller-flags-v1-client")
-                .setSSLSocketFactory(SslConnectionSocketFactory.of(
-                        identityProvider.getConfigServerSslSocketFactory(), new FlagTargetsHostnameVerifier(targets)))
+                .setSSLSocketFactory(connectionSocketFactory)
                 .setDefaultRequestConfig(RequestConfig.custom()
                                                  .setConnectTimeout((int) Duration.ofSeconds(10).toMillis())
                                                  .setConnectionRequestTimeout((int) Duration.ofSeconds(10).toMillis())
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java
index 210e32db4c3..5214ded0904 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/proxy/ConfigServerRestExecutorImplTest.java
@@ -2,17 +2,18 @@
 package com.yahoo.vespa.hosted.controller.proxy;
 
 import ai.vespa.http.HttpURL.Path;
-import ai.vespa.util.http.hc4.SslConnectionSocketFactory;
 import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
 import com.github.tomakehurst.wiremock.stubbing.Scenario;
 import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
 import com.yahoo.yolean.concurrent.Sleeper;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.protocol.HttpContext;
 import org.apache.http.protocol.HttpCoreContext;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
 
+import javax.net.ssl.SSLContext;
 import java.io.ByteArrayOutputStream;
 import java.net.URI;
 import java.util.HashMap;
@@ -37,7 +38,8 @@ public class ConfigServerRestExecutorImplTest {
     @Test
     void proxy_with_retries() throws Exception {
         var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of("127.0.0.1"));
-        var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy);
+        var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()),
+                Sleeper.NOOP, connectionReuseStrategy);
 
         URI url = url();
         String path = url.getPath();
@@ -61,7 +63,9 @@ public class ConfigServerRestExecutorImplTest {
     @Test
     void proxy_without_connection_reuse() throws Exception {
         var connectionReuseStrategy = new CountingConnectionReuseStrategy(Set.of());
-        var proxy = new ConfigServerRestExecutorImpl(SslConnectionSocketFactory.of(), Sleeper.NOOP, connectionReuseStrategy);
+        var proxy = new ConfigServerRestExecutorImpl(new SSLConnectionSocketFactory(SSLContext.getDefault()),
+                Sleeper.NOOP, connectionReuseStrategy);
+
         URI url = url();
         String path = url.getPath();
         stubRequests(path);
-- 
cgit v1.2.3