From 681414100e1aac65e16090c789405e69b26ebb3b Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@yahooinc.com>
Date: Wed, 12 Jul 2023 16:13:40 +0200
Subject: Allow TLSv1.3

---
 .../main/java/ai/vespa/feed/client/impl/SslContextBuilder.java    | 3 ++-
 .../java/ai/vespa/feed/client/impl/SslContextBuilderTest.java     | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

(limited to 'vespa-feed-client')

diff --git a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java
index 1855b657a75..85144ae3e8c 100644
--- a/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java
+++ b/vespa-feed-client/src/main/java/ai/vespa/feed/client/impl/SslContextBuilder.java
@@ -85,7 +85,8 @@ class SslContextBuilder {
             } else if (hasCaCertificateInstance()) {
                 addCaCertificates(keystore, caCertificates);
             }
-            SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); // Protocol version must match TlsContext.SSL_CONTEXT_VERSION
+            // Protocol version must be equal to TlsContext.SSL_CONTEXT_VERSION or higher
+            SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
             sslContext.init(
                     createKeyManagers(keystore).orElse(null),
                     createTrustManagers(keystore).orElse(null),
diff --git a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java
index 95952d37c3c..bddb8857dc3 100644
--- a/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java
+++ b/vespa-feed-client/src/test/java/ai/vespa/feed/client/impl/SslContextBuilderTest.java
@@ -57,13 +57,13 @@ class SslContextBuilderTest {
                         .withCaCertificates(certificateFile)
                         .withCertificateAndKey(certificateFile, privateKeyFile)
                         .build());
-        assertEquals("TLSv1.2", sslContext.getProtocol());
+        assertEquals("TLSv1.3", sslContext.getProtocol());
     }
 
     @Test
     void successfully_constructs_sslcontext_when_no_builder_parameter_given() {
         SSLContext sslContext = Assertions.assertDoesNotThrow(() -> new SslContextBuilder().build());
-        assertEquals("TLSv1.2", sslContext.getProtocol());
+        assertEquals("TLSv1.3", sslContext.getProtocol());
     }
 
     @Test
@@ -72,7 +72,7 @@ class SslContextBuilderTest {
                 new SslContextBuilder()
                         .withCertificateAndKey(certificateFile, privateKeyFile)
                         .build());
-        assertEquals("TLSv1.2", sslContext.getProtocol());
+        assertEquals("TLSv1.3", sslContext.getProtocol());
     }
 
     @Test
@@ -81,7 +81,7 @@ class SslContextBuilderTest {
                 new SslContextBuilder()
                         .withCaCertificates(certificateFile)
                         .build());
-        assertEquals("TLSv1.2", sslContext.getProtocol());
+        assertEquals("TLSv1.3", sslContext.getProtocol());
     }
 
     private static void writePem(Path file, String type, byte[] asn1DerEncodedObject) throws IOException {
-- 
cgit v1.2.3