From 4bb0999694a314b8daebe179db39c1fe48cca21d Mon Sep 17 00:00:00 2001 From: Andreas Eriksen Date: Fri, 6 Jan 2023 17:16:35 +0100 Subject: Revert "Ensure that HTTPS clients only use allowed ciphers and protocol versions" (#25436) --- .../java/com/yahoo/security/SslContextBuilder.java | 4 +--- .../java/com/yahoo/security/tls/TlsContext.java | 23 +--------------------- 2 files changed, 2 insertions(+), 25 deletions(-) (limited to 'security-utils/src') diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java index 9b26b79a960..d91c47e5eed 100644 --- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java @@ -1,8 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; -import com.yahoo.security.tls.TlsContext; - import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; @@ -131,7 +129,7 @@ public class SslContextBuilder { public SSLContext build() { try { - SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION); + SSLContext sslContext = SSLContext.getInstance("TLS"); X509ExtendedTrustManager trustManager = this.trustManager != null ? this.trustManager : trustManagerFactory.createTrustManager(trustStoreSupplier.get()); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 8e146f36907..b222c8664cc 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -4,8 +4,6 @@ package com.yahoo.security.tls; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLParameters; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; @@ -41,12 +39,7 @@ public interface TlsContext extends AutoCloseable { // TODO Enable TLSv1.3 after upgrading to JDK 17 Set ALLOWED_PROTOCOLS = Collections.singleton("TLSv1.2"); - - /** - * {@link SSLContext} protocol name that supports at least oldest protocol listed in {@link #ALLOWED_PROTOCOLS} - * @see SSLContext#getInstance(String) - */ - String SSL_CONTEXT_VERSION = "TLSv1.2"; + String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions /** * @return the allowed cipher suites supported by the provided context instance @@ -65,8 +58,6 @@ public interface TlsContext extends AutoCloseable { return enabledCiphers; } - static Set getAllowedCipherSuites() { return getAllowedCipherSuites(defaultSslContext()); } - /** * @return the allowed protocols supported by the provided context instance */ @@ -83,18 +74,6 @@ public interface TlsContext extends AutoCloseable { return enabledProtocols; } - static Set getAllowedProtocols() { return getAllowedProtocols(defaultSslContext()); } - - /** @return Default {@link SSLContext} instance without certificate and using JDK's default trust store */ - static SSLContext defaultSslContext() { - try { - var ctx = SSLContext.getInstance(SSL_CONTEXT_VERSION); - ctx.init(null, null, null); - return ctx; - } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(e); - } catch (KeyManagementException e) { throw new IllegalStateException(e); } - } - SSLContext context(); SSLParameters parameters(); -- cgit v1.2.3