Allow configuring excluded ciphers and SSL protocols

core/src/main/java/io/confluent/rest/Application.java

@@ -214,10 +214,20 @@ protected void doStop() throws Exception {
           sslContextFactory.setIncludeProtocols(enabledProtocols.toArray(new String[0]));
         }
 
+        List<String> disabledProtocols = config.getList(RestConfig.SSL_DISABLED_PROTOCOLS_CONFIG);
+        if (!enabledProtocols.isEmpty()) {
+          sslContextFactory.setExcludeProtocols(disabledProtocols.toArray(new String[0]));
+        }
+
         List<String> cipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_CONFIG);
         if (!cipherSuites.isEmpty()) {
           sslContextFactory.setIncludeCipherSuites(cipherSuites.toArray(new String[0]));
         }
+
+        List<String> excludedCipherSuites = config.getList(RestConfig.SSL_CIPHER_SUITES_EXCLUDE_CONFIG);
+        if (!excludedCipherSuites.isEmpty()) {
+          sslContextFactory.setExcludeCipherSuites(cipherSuites.toArray(new String[0]));
+        }
 
         if (!config.getString(RestConfig.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG).isEmpty()) {
           sslContextFactory.setEndpointIdentificationAlgorithm(

core/src/main/java/io/confluent/rest/RestConfig.java

@@ -160,10 +160,19 @@ public class RestConfig extends AbstractConfig {
       "The list of protocols enabled for SSL connections. Comma-separated list. "
       + "Leave blank to use Jetty's defaults.";
   protected static final String SSL_ENABLED_PROTOCOLS_DEFAULT = "";
+  public static final String SSL_DISABLED_PROTOCOLS_CONFIG = "ssl.disabled.protocols";
+  protected static final String SSL_DISABLED_PROTOCOLS_DOC =
+       "The list of protocols disabled for SSL connections. Comma-separated list. "
+       + "Leave blank to use Jetty's defaults.";
+  protected static final String SSL_DISABLED_PROTOCOLS_DEFAULT = "";  
   public static final String SSL_CIPHER_SUITES_CONFIG = "ssl.cipher.suites";
   protected static final String SSL_CIPHER_SUITES_DOC =
       "A list of SSL cipher suites. Leave blank to use Jetty's defaults.";
   protected static final String SSL_CIPHER_SUITES_DEFAULT = "";
+  public static final String SSL_CIPHER_SUITES_EXCLUDE_CONFIG = "ssl.cipher.suites.exclude";
+  protected static final String SSL_CIPHER_SUITES_EXCLUDE_DOC =
+      "A list of excluded SSL cipher suites. Leave blank to use Jetty's defaults.";
+  protected static final String SSL_CIPHER_SUITES_EXCLUDE_DEFAULT = "";
   public static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG =
       "ssl.endpoint.identification.algorithm";
   protected static final String SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_DOC =
@@ -357,12 +366,24 @@ public static ConfigDef baseConfigDef() {
             SSL_ENABLED_PROTOCOLS_DEFAULT,
             Importance.MEDIUM,
             SSL_ENABLED_PROTOCOLS_DOC
+        ).define(
+            SSL_DISABLED_PROTOCOLS_CONFIG,
+            Type.LIST,
+            SSL_DISABLED_PROTOCOLS_DEFAULT,
+            Importance.MEDIUM,
+            SSL_DISABLED_PROTOCOLS_DOC
         ).define(
             SSL_CIPHER_SUITES_CONFIG,
             Type.LIST,
             SSL_CIPHER_SUITES_DEFAULT,
             Importance.LOW,
             SSL_CIPHER_SUITES_DOC
+        ).define(
+            SSL_CIPHER_SUITES_EXCLUDE_CONFIG,
+            Type.LIST,
+            SSL_CIPHER_SUITES_EXCLUDE_DEFAULT,
+            Importance.LOW,
+            SSL_CIPHER_SUITES_EXCLUDE_DOC
         ).define(
             SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG,
             Type.STRING,