diff --git a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java index af419873ae9..a35df22705e 100644 --- a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java +++ b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java @@ -70,10 +70,10 @@ public class SslServerInitializer extends ChannelInitializer< /** * The list of cipher suites that are currently acceptable to create a successful handshake. * - *

This list includes all of the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with - * no known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the - * ciphers internally but the IANA names listed here will be transparently translated by the - * OpenSSL provider (if used), so there is no need to include the OpenSSL name variants here. More + *

This list includes all the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with no + * known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the ciphers + * internally but the IANA names listed here will be transparently translated by the OpenSSL + * provider (if used), so there is no need to include the OpenSSL name variants here. More * information about these cipher suites and their OpenSSL names can be found at ciphersuite.info. */ private static final ImmutableList ALLOWED_TLS_CIPHERS = @@ -90,6 +90,10 @@ public class SslServerInitializer extends ChannelInitializer< "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256"); + /** Thankfully, the JDK supports TLS version 1.3 now. */ + private static final ImmutableList SUPPORTED_TLS_VERSIONS = + ImmutableList.of("TLSv1.3", "TLSv1.2"); + private static final FluentLogger logger = FluentLogger.forEnclosingClass(); private final boolean requireClientCert; // TODO(jianglai): Always validate client certs (if required). @@ -99,7 +103,6 @@ public class SslServerInitializer extends ChannelInitializer< // change when the artifacts on GCS changes. private final Supplier privateKeySupplier; private final Supplier> certificatesSupplier; - private final ImmutableList supportedSslVersions; public SslServerInitializer( boolean requireClientCert, @@ -116,12 +119,6 @@ public SslServerInitializer( this.sslProvider = sslProvider; this.privateKeySupplier = privateKeySupplier; this.certificatesSupplier = certificatesSupplier; - this.supportedSslVersions = - sslProvider == SslProvider.OPENSSL - ? ImmutableList.of("TLSv1.3", "TLSv1.2") - // JDK support for TLS 1.3 won't be available until 2021-04-20 at the earliest. - // See: https://java.com/en/jre-jdk-cryptoroadmap.html - : ImmutableList.of("TLSv1.2"); } @Override @@ -133,7 +130,7 @@ protected void initChannel(C channel) throws Exception { .sslProvider(sslProvider) .trustManager(InsecureTrustManagerFactory.INSTANCE) .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE) - .protocols(supportedSslVersions) + .protocols(SUPPORTED_TLS_VERSIONS) .ciphers(ALLOWED_TLS_CIPHERS, SupportedCipherSuiteFilter.INSTANCE) .build();