Allow callers to specify a TLS version when constructing a FaultTolerantHttpClient.

2021-03-08 15:53:55 -05:00 · 2021-03-08 15:53:55 -05:00 · 933dd81d82
parent a1434524a4
commit 933dd81d82
2 changed files with 15 additions and 4 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java
@ -37,6 +37,9 @@ public class FaultTolerantHttpClient {
  private final Retry                    retry;
  private final CircuitBreaker           breaker;

+  public static final String SECURITY_PROTOCOL_TLS_1_2 = "TLSv1.2";
+  public static final String SECURITY_PROTOCOL_TLS_1_3 = "TLSv1.3";
+
  public static Builder newBuilder() {
    return new Builder();
  }
@ -86,6 +89,7 @@ public class FaultTolerantHttpClient {
    private String                      name;
    private Executor                    executor;
    private KeyStore                    trustStore;
+    private String                      securityProtocol = SECURITY_PROTOCOL_TLS_1_2;
    private RetryConfiguration          retryConfiguration;
    private CircuitBreakerConfiguration circuitBreakerConfiguration;

@ -126,6 +130,11 @@ public class FaultTolerantHttpClient {
      return this;
    }

+    public Builder withSecurityProtocol(final String securityProtocol) {
+      this.securityProtocol = securityProtocol;
+      return this;
+    }
+
    public Builder withTrustedServerCertificate(final String certificatePem) throws CertificateException {
      this.trustStore = CertificateUtil.buildKeyStoreForPem(certificatePem);
      return this;
@ -142,13 +151,14 @@ public class FaultTolerantHttpClient {
                                                   .version(version)
                                                   .executor(executor);

+      final SslConfigurator sslConfigurator = SslConfigurator.newInstance().securityProtocol(securityProtocol);
+
      if (this.trustStore != null) {
-        builder.sslContext(SslConfigurator.newInstance()
-               .securityProtocol("TLSv1.2")
-               .trustStore(trustStore)
-               .createSSLContext());
+        sslConfigurator.trustStore(trustStore);
      }

+      builder.sslContext(sslConfigurator.createSSLContext());
+
      return new FaultTolerantHttpClient(name, builder.build(), retryConfiguration, circuitBreakerConfiguration);
    }

--- a/service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java
@ -46,6 +46,7 @@ public class SecureStorageClient {
                                                                        .withRedirect(HttpClient.Redirect.NEVER)
                                                                        .withExecutor(executor)
                                                                        .withName("secure-storage")
+                                                                        .withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_3)
                                                                        .withTrustedServerCertificate(configuration.getStorageCaCertificate())
                                                                        .build();
    }