From ddcf4413c2535fb0b107aa27a3e9e4fbca7e9754 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@yahooinc.com>
Date: Fri, 24 Mar 2023 14:58:18 +0100
Subject: Enable TLSv1.3 for Vespa mTLS

---
 .../main/java/com/yahoo/security/tls/TlsContext.java    | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

(limited to 'security-utils/src/main/java')

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 8e146f36907..9d72030c624 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -7,8 +7,6 @@ import javax.net.ssl.SSLParameters;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.Set;
 
 import static java.util.stream.Collectors.toSet;
@@ -26,21 +24,20 @@ public interface TlsContext extends AutoCloseable {
      * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM.
      * For TLSv1.3 we allow the DEFAULT group ciphers.
      * Note that we _only_ allow AEAD ciphers for either TLS version.
-     *
-     * TODO(bjorncs) Add new ciphers once migrated to JDK-17 (also available in 11.0.13):
-     * - TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      */
-    Set<String> ALLOWED_CIPHER_SUITES = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
+    Set<String> ALLOWED_CIPHER_SUITES = Set.of(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_AES_128_GCM_SHA256", // TLSv1.3
-            "TLS_AES_256_GCM_SHA384" // TLSv1.3
-            )));
+            "TLS_AES_256_GCM_SHA384", // TLSv1.3
+            "TLS_CHACHA20_POLY1305_SHA256", // TLSv1.3
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+            );
 
-    // TODO Enable TLSv1.3 after upgrading to JDK 17
-    Set<String> ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2");
+    Set<String> ALLOWED_PROTOCOLS = Set.of("TLSv1.2", "TLSv1.3");
 
     /** 
      * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS}
-- 
cgit v1.2.3