From 8d65a953ce3d950686bc94c2d0c2cc36a9136a16 Mon Sep 17 00:00:00 2001 From: groghkov Date: Tue, 23 May 2017 11:19:09 +0300 Subject: [PATCH] Allow configuring excluded ciphers and SSL protocols --- .../java/io/confluent/rest/Application.java | 10 +++++++++ .../java/io/confluent/rest/RestConfig.java | 21 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/core/src/main/java/io/confluent/rest/Application.java b/core/src/main/java/io/confluent/rest/Application.java index 3a772cda06..79fb3ccc42 100644 --- a/core/src/main/java/io/confluent/rest/Application.java +++ b/core/src/main/java/io/confluent/rest/Application.java @@ -214,10 +214,20 @@ protected void doStop() throws Exception { sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0])); } + List disabledProtocols = config.getList(RestConfig.SSL_DISABLED_PROTOCOLS_CONFIG); + if (!enabledProtocols.isEmpty()) { + sslContextFactory.setExcludeProtocols(disabledProtocols.toArray(new String[0])); + } + List cipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_CONFIG); if (!cipherSuites.isEmpty()) { sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0])); } + + List excludedCipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_EXCLUDE_CONFIG); + if (!excludedCipherSuites.isEmpty()) { + sslContextFactory.setExcludeCipherSuites(cipherSuites.toArray(new String[0])); + } if (!config.getString(RestConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG).isEmpty()) { sslContextFactory.setEndpointIdentificationAlgorithm( diff --git a/core/src/main/java/io/confluent/rest/RestConfig.java b/core/src/main/java/io/confluent/rest/RestConfig.java index 539188227f..4d49c1d76d 100644 --- a/core/src/main/java/io/confluent/rest/RestConfig.java +++ b/core/src/main/java/io/confluent/rest/RestConfig.java @@ -160,10 +160,19 @@ public class RestConfig extends AbstractConfig { "The list of protocols enabled for SSL connections. Comma-separated list. " + "Leave blank to use Jetty's defaults."; protected static final String SSL_ENABLED_PROTOCOLS_DEFAULT = ""; + public static final String SSL_DISABLED_PROTOCOLS_CONFIG = "ssl.disabled.protocols"; + protected static final String SSL_DISABLED_PROTOCOLS_DOC = + "The list of protocols disabled for SSL connections. Comma-separated list. " + + "Leave blank to use Jetty's defaults."; + protected static final String SSL_DISABLED_PROTOCOLS_DEFAULT = ""; public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites"; protected static final String SSL_CIPHER_SUITES_DOC = "A list of SSL cipher suites. Leave blank to use Jetty's defaults."; protected static final String SSL_CIPHER_SUITES_DEFAULT = ""; + public static final String SSL_CIPHER_SUITES_EXCLUDE_CONFIG = "ssl.cipher.suites.exclude"; + protected static final String SSL_CIPHER_SUITES_EXCLUDE_DOC = + "A list of excluded SSL cipher suites. Leave blank to use Jetty's defaults."; + protected static final String SSL_CIPHER_SUITES_EXCLUDE_DEFAULT = ""; public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG = "ssl.endpoint.identification.algorithm"; protected static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC = @@ -357,12 +366,24 @@ public static ConfigDef baseConfigDef() { SSL_ENABLED_PROTOCOLS_DEFAULT, Importance.MEDIUM, SSL_ENABLED_PROTOCOLS_DOC + ).define( + SSL_DISABLED_PROTOCOLS_CONFIG, + Type.LIST, + SSL_DISABLED_PROTOCOLS_DEFAULT, + Importance.MEDIUM, + SSL_DISABLED_PROTOCOLS_DOC ).define( SSL_CIPHER_SUITES_CONFIG, Type.LIST, SSL_CIPHER_SUITES_DEFAULT, Importance.LOW, SSL_CIPHER_SUITES_DOC + ).define( + SSL_CIPHER_SUITES_EXCLUDE_CONFIG, + Type.LIST, + SSL_CIPHER_SUITES_EXCLUDE_DEFAULT, + Importance.LOW, + SSL_CIPHER_SUITES_EXCLUDE_DOC ).define( SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, Type.STRING,