From 933dd81d82b6a35548d576503eccea4063d24dfd Mon Sep 17 00:00:00 2001 From: Jon Chambers Date: Mon, 8 Mar 2021 15:53:55 -0500 Subject: [PATCH] Allow callers to specify a TLS version when constructing a FaultTolerantHttpClient. --- .../http/FaultTolerantHttpClient.java | 18 ++++++++++++++---- .../securestorage/SecureStorageClient.java | 1 + 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java b/service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java index 5149544b1..e45d3d13c 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java @@ -37,6 +37,9 @@ public class FaultTolerantHttpClient { private final Retry retry; private final CircuitBreaker breaker; + public static final String SECURITY_PROTOCOL_TLS_1_2 = "TLSv1.2"; + public static final String SECURITY_PROTOCOL_TLS_1_3 = "TLSv1.3"; + public static Builder newBuilder() { return new Builder(); } @@ -86,6 +89,7 @@ public class FaultTolerantHttpClient { private String name; private Executor executor; private KeyStore trustStore; + private String securityProtocol = SECURITY_PROTOCOL_TLS_1_2; private RetryConfiguration retryConfiguration; private CircuitBreakerConfiguration circuitBreakerConfiguration; @@ -126,6 +130,11 @@ public class FaultTolerantHttpClient { return this; } + public Builder withSecurityProtocol(final String securityProtocol) { + this.securityProtocol = securityProtocol; + return this; + } + public Builder withTrustedServerCertificate(final String certificatePem) throws CertificateException { this.trustStore = CertificateUtil.buildKeyStoreForPem(certificatePem); return this; @@ -142,13 +151,14 @@ public class FaultTolerantHttpClient { .version(version) .executor(executor); + final SslConfigurator sslConfigurator = SslConfigurator.newInstance().securityProtocol(securityProtocol); + if (this.trustStore != null) { - builder.sslContext(SslConfigurator.newInstance() - .securityProtocol("TLSv1.2") - .trustStore(trustStore) - .createSSLContext()); + sslConfigurator.trustStore(trustStore); } + builder.sslContext(sslConfigurator.createSSLContext()); + return new FaultTolerantHttpClient(name, builder.build(), retryConfiguration, circuitBreakerConfiguration); } diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java b/service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java index 0513cfcf6..d200bb806 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java @@ -46,6 +46,7 @@ public class SecureStorageClient { .withRedirect(HttpClient.Redirect.NEVER) .withExecutor(executor) .withName("secure-storage") + .withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_3) .withTrustedServerCertificate(configuration.getStorageCaCertificate()) .build(); }