Always allow both TLS 1.2 and 1.3 (#2978 )

The JDK version of SSL has long supported TLS v1.3 (since version 11) so fortunately we can use TLS v1.3 regardless if which implementation of SSL we're using. We prefer OpenSSL in general so I'm not entirely sure why we were using the JDK version of SSL on the proxy before, but this should work and be a good idea regardless. Tested on alpha by running ``` $ openssl s_client -connect epp.registryalpha.foo:700 -tls1_3 -ciphersuites "TLS_AES_128_GCM_SHA256" ``` Previously we'd get a failure, now it returns the proper cert data.
Enable Fee-1.0 extension in prod (#2975 )
2026-03-12 13:45:00 +00:00 · 2026-03-09 22:51:17 +00:00 · 2026-03-05 20:22:33 +00:00 · 2026-03-04 20:14:42 +00:00 · 2026-03-04 18:49:06 +00:00
20 changed files with 441 additions and 2182 deletions
--- a/core/src/main/java/google/registry/model/common/FeatureFlag.java
+++ b/core/src/main/java/google/registry/model/common/FeatureFlag.java
@@ -68,6 +68,10 @@ public class FeatureFlag extends ImmutableObject implements Buildable {
    /** Feature flag name used for testing only. */
    TEST_FEATURE(FeatureStatus.INACTIVE),

+    /** True if Fee Extension 1.0 (RFC 8748) is enabled in production. */
+    // TODO(b/159033801) Delete this flag after 1.0 is hardened in prod.
+    FEE_EXTENSION_1_DOT_0_IN_PROD(FeatureStatus.INACTIVE),
+
    /** If we're not requiring the presence of contact data on domain EPP commands. */
    MINIMUM_DATASET_CONTACTS_OPTIONAL(FeatureStatus.INACTIVE),

--- a/core/src/main/java/google/registry/model/eppcommon/ProtocolDefinition.java
+++ b/core/src/main/java/google/registry/model/eppcommon/ProtocolDefinition.java
@@ -16,11 +16,14 @@ package google.registry.model.eppcommon;

 import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static com.google.common.collect.Maps.uniqueIndex;
+import static google.registry.model.common.FeatureFlag.FeatureName.FEE_EXTENSION_1_DOT_0_IN_PROD;
+import static google.registry.persistence.transaction.TransactionManagerFactory.tm;

 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.VerifyException;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import google.registry.model.common.FeatureFlag;
 import google.registry.model.domain.fee06.FeeCheckCommandExtensionV06;
 import google.registry.model.domain.fee06.FeeCheckResponseExtensionV06;
 import google.registry.model.domain.fee11.FeeCheckCommandExtensionV11;
@@ -58,7 +61,7 @@ public class ProtocolDefinition {
  /** Enum representing which environments should have which service extensions enabled. */
  private enum ServiceExtensionVisibility {
    ALL,
-    ONLY_IN_NON_PRODUCTION,
+    FEE_1_DOT_0_EXTENSION_VISIBILITY,
    NONE
  }

@@ -82,7 +85,7 @@ public class ProtocolDefinition {
    FEE_1_00(
        FeeCheckCommandExtensionStdV1.class,
        FeeCheckResponseExtensionStdV1.class,
-        ServiceExtensionVisibility.ONLY_IN_NON_PRODUCTION),
+        ServiceExtensionVisibility.FEE_1_DOT_0_EXTENSION_VISIBILITY),
    METADATA_1_0(MetadataExtension.class, null, ServiceExtensionVisibility.NONE);

    private final Class<? extends CommandExtension> commandExtensionClass;
@@ -138,8 +141,9 @@ public class ProtocolDefinition {
    public boolean isVisible() {
      return switch (visibility) {
        case ALL -> true;
-        case ONLY_IN_NON_PRODUCTION ->
-            !RegistryEnvironment.get().equals(RegistryEnvironment.PRODUCTION);
+        case FEE_1_DOT_0_EXTENSION_VISIBILITY ->
+            !RegistryEnvironment.get().equals(RegistryEnvironment.PRODUCTION)
+                || tm().transact(() -> FeatureFlag.isActiveNow(FEE_EXTENSION_1_DOT_0_IN_PROD));
        case NONE -> false;
      };
    }
--- a/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolEnvironment.java
@@ -91,7 +91,7 @@ public enum RegistryToolEnvironment {

  /** Sets up execution environment. Call this method before any classes are loaded. */
  @VisibleForTesting
-  void setup(SystemPropertySetter systemPropertySetter) {
+  public void setup(SystemPropertySetter systemPropertySetter) {
    instance = this;
    actualEnvironment.setup(systemPropertySetter);
    for (Map.Entry<String, String> entry : extraProperties.entrySet()) {
--- a/core/src/test/java/google/registry/flows/domain/ProductionSimulatingFeeExtensionsTest.java
+++ b/core/src/test/java/google/registry/flows/domain/ProductionSimulatingFeeExtensionsTest.java
@@ -15,15 +15,21 @@
 package google.registry.flows.domain;

 import static com.google.common.truth.Truth.assertThat;
+import static google.registry.model.common.FeatureFlag.FeatureName.FEE_EXTENSION_1_DOT_0_IN_PROD;
+import static google.registry.tools.RegistryToolEnvironment.PRODUCTION;
+import static google.registry.util.DateTimeUtils.START_OF_TIME;

 import google.registry.model.eppcommon.ProtocolDefinition;
+import google.registry.tools.CommandTestCase;
+import google.registry.tools.ConfigureFeatureFlagCommand;
 import google.registry.util.RegistryEnvironment;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;

 /** Class for testing the XML extension definitions loaded in the prod environment. */
-public class ProductionSimulatingFeeExtensionsTest {
+public class ProductionSimulatingFeeExtensionsTest
+    extends CommandTestCase<ConfigureFeatureFlagCommand> {

  private RegistryEnvironment previousEnvironment;

@@ -59,7 +65,7 @@ public class ProductionSimulatingFeeExtensionsTest {
  }

  @Test
-  void testProdEnvironment() {
+  void testProdEnvironment_feeExtensionFeatureNotSet() {
    RegistryEnvironment.PRODUCTION.setup();
    ProtocolDefinition.reloadServiceExtensionUris();
    // prod shouldn't have the fee extension version 1.0
@@ -72,4 +78,47 @@ public class ProductionSimulatingFeeExtensionsTest {
            "urn:ietf:params:xml:ns:fee-0.11",
            "urn:ietf:params:xml:ns:fee-0.12");
  }
+
+  @Test
+  void testProdEnvironment_feeExtensionFeatureActiveInTheFuture() throws Exception {
+    runCommandInEnvironment(
+        PRODUCTION,
+        FEE_EXTENSION_1_DOT_0_IN_PROD.name(),
+        "--force",
+        "--status_map",
+        String.format("%s=INACTIVE,%s=ACTIVE", START_OF_TIME, fakeClock.nowUtc().plusMillis(1)));
+    RegistryEnvironment.PRODUCTION.setup();
+    ProtocolDefinition.reloadServiceExtensionUris();
+    // prod shouldn't have the fee extension version 1.0
+    assertThat(ProtocolDefinition.getVisibleServiceExtensionUris())
+        .containsExactly(
+            "urn:ietf:params:xml:ns:launch-1.0",
+            "urn:ietf:params:xml:ns:rgp-1.0",
+            "urn:ietf:params:xml:ns:secDNS-1.1",
+            "urn:ietf:params:xml:ns:fee-0.6",
+            "urn:ietf:params:xml:ns:fee-0.11",
+            "urn:ietf:params:xml:ns:fee-0.12");
+  }
+
+  @Test
+  void testProdEnvironment_feeExtensionFeatureActiveInThePast() throws Exception {
+    runCommandInEnvironment(
+        PRODUCTION,
+        FEE_EXTENSION_1_DOT_0_IN_PROD.name(),
+        "--force",
+        "--status_map",
+        String.format("%s=INACTIVE,%s=ACTIVE", START_OF_TIME, fakeClock.nowUtc().minusMillis(1)));
+    RegistryEnvironment.PRODUCTION.setup();
+    ProtocolDefinition.reloadServiceExtensionUris();
+    // prod should have the fee extension version 1.0
+    assertThat(ProtocolDefinition.getVisibleServiceExtensionUris())
+        .containsExactly(
+            "urn:ietf:params:xml:ns:launch-1.0",
+            "urn:ietf:params:xml:ns:rgp-1.0",
+            "urn:ietf:params:xml:ns:secDNS-1.1",
+            "urn:ietf:params:xml:ns:fee-0.6",
+            "urn:ietf:params:xml:ns:fee-0.11",
+            "urn:ietf:params:xml:ns:fee-0.12",
+            "urn:ietf:params:xml:ns:epp:fee-1.0");
+  }
 }
--- a/core/src/test/java/google/registry/tools/CommandTestCase.java
+++ b/core/src/test/java/google/registry/tools/CommandTestCase.java
@@ -94,7 +94,8 @@ public abstract class CommandTestCase<C extends Command> {
    System.setErr(oldStderr);
  }

-  void runCommandInEnvironment(RegistryToolEnvironment env, String... args) throws Exception {
+  protected void runCommandInEnvironment(RegistryToolEnvironment env, String... args)
+      throws Exception {
    env.setup(systemPropertyExtension);
    try {
      JCommander jcommander = new JCommander(command);
--- a/db/src/main/resources/sql/er_diagram/brief_er_diagram.html
+++ b/db/src/main/resources/sql/er_diagram/brief_er_diagram.html
--- a/db/src/main/resources/sql/er_diagram/full_er_diagram.html
+++ b/db/src/main/resources/sql/er_diagram/full_er_diagram.html
--- a/db/src/main/resources/sql/flyway.txt
+++ b/db/src/main/resources/sql/flyway.txt
@@ -218,3 +218,5 @@ V217__drop_contact_fks_pollmessage.sql
 V218__tld_drop_allowedregistrantcontactids.sql
 V219__domain_history_package_token_idx.sql
 V220__domain_package_token_idx.sql
+V221__remove_contact_history.sql
+V222__remove_contact.sql
--- a/db/src/main/resources/sql/flyway/V221__remove_contact_history.sql
+++ b/db/src/main/resources/sql/flyway/V221__remove_contact_history.sql
@@ -0,0 +1,15 @@
+-- Copyright 2026 The Nomulus Authors. All Rights Reserved.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+DROP TABLE IF EXISTS "ContactHistory";
--- a/db/src/main/resources/sql/flyway/V222__remove_contact.sql
+++ b/db/src/main/resources/sql/flyway/V222__remove_contact.sql
@@ -0,0 +1,15 @@
+-- Copyright 2026 The Nomulus Authors. All Rights Reserved.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+DROP TABLE IF EXISTS "Contact";
--- a/db/src/main/resources/sql/schema/db-schema.sql.generated
+++ b/db/src/main/resources/sql/schema/db-schema.sql.generated
@@ -333,7 +333,7 @@
    );

    create table "FeatureFlag" (
-        feature_name text not null check (feature_name in ('TEST_FEATURE','MINIMUM_DATASET_CONTACTS_OPTIONAL','MINIMUM_DATASET_CONTACTS_PROHIBITED','INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS','PROHIBIT_CONTACT_OBJECTS_ON_LOGIN')),
+        feature_name text not null check (feature_name in ('TEST_FEATURE','FEE_EXTENSION_1_DOT_0_IN_PROD','MINIMUM_DATASET_CONTACTS_OPTIONAL','MINIMUM_DATASET_CONTACTS_PROHIBITED','INCLUDE_PENDING_DELETE_DATE_FOR_DOMAINS','PROHIBIT_CONTACT_OBJECTS_ON_LOGIN')),
        status hstore not null,
        primary key (feature_name)
    );
--- a/db/src/main/resources/sql/schema/nomulus.golden.sql
+++ b/db/src/main/resources/sql/schema/nomulus.golden.sql
@@ -287,150 +287,6 @@ CREATE TABLE public."ConsoleUpdateHistory" (
 );


--
-- Name: Contact; Type: TABLE; Schema: public; Owner: -
--
-
-CREATE TABLE public."Contact" (
-    repo_id text NOT NULL,
-    creation_registrar_id text NOT NULL,
-    creation_time timestamp with time zone NOT NULL,
-    current_sponsor_registrar_id text NOT NULL,
-    deletion_time timestamp with time zone,
-    last_epp_update_registrar_id text,
-    last_epp_update_time timestamp with time zone,
-    statuses text[],
-    auth_info_repo_id text,
-    auth_info_value text,
-    contact_id text,
-    disclose_types_addr text[],
-    disclose_show_email boolean,
-    disclose_show_fax boolean,
-    disclose_mode_flag boolean,
-    disclose_types_name text[],
-    disclose_types_org text[],
-    disclose_show_voice boolean,
-    email text,
-    fax_phone_extension text,
-    fax_phone_number text,
-    addr_i18n_city text,
-    addr_i18n_country_code text,
-    addr_i18n_state text,
-    addr_i18n_street_line1 text,
-    addr_i18n_street_line2 text,
-    addr_i18n_street_line3 text,
-    addr_i18n_zip text,
-    addr_i18n_name text,
-    addr_i18n_org text,
-    addr_i18n_type text,
-    last_transfer_time timestamp with time zone,
-    addr_local_city text,
-    addr_local_country_code text,
-    addr_local_state text,
-    addr_local_street_line1 text,
-    addr_local_street_line2 text,
-    addr_local_street_line3 text,
-    addr_local_zip text,
-    addr_local_name text,
-    addr_local_org text,
-    addr_local_type text,
-    search_name text,
-    voice_phone_extension text,
-    voice_phone_number text,
-    transfer_poll_message_id_1 bigint,
-    transfer_poll_message_id_2 bigint,
-    transfer_client_txn_id text,
-    transfer_server_txn_id text,
-    transfer_gaining_registrar_id text,
-    transfer_losing_registrar_id text,
-    transfer_pending_expiration_time timestamp with time zone,
-    transfer_request_time timestamp with time zone,
-    transfer_status text,
-    update_timestamp timestamp with time zone,
-    transfer_history_entry_id bigint,
-    transfer_repo_id text,
-    transfer_poll_message_id_3 bigint,
-    last_update_time_via_epp timestamp with time zone
-);
-
-
--
-- Name: ContactHistory; Type: TABLE; Schema: public; Owner: -
--
-
-CREATE TABLE public."ContactHistory" (
-    history_revision_id bigint NOT NULL,
-    history_by_superuser boolean NOT NULL,
-    history_registrar_id text,
-    history_modification_time timestamp with time zone NOT NULL,
-    history_reason text,
-    history_requested_by_registrar boolean,
-    history_client_transaction_id text,
-    history_server_transaction_id text,
-    history_type text NOT NULL,
-    history_xml_bytes bytea,
-    auth_info_repo_id text,
-    auth_info_value text,
-    contact_id text,
-    disclose_types_addr text[],
-    disclose_show_email boolean,
-    disclose_show_fax boolean,
-    disclose_mode_flag boolean,
-    disclose_types_name text[],
-    disclose_types_org text[],
-    disclose_show_voice boolean,
-    email text,
-    fax_phone_extension text,
-    fax_phone_number text,
-    addr_i18n_city text,
-    addr_i18n_country_code text,
-    addr_i18n_state text,
-    addr_i18n_street_line1 text,
-    addr_i18n_street_line2 text,
-    addr_i18n_street_line3 text,
-    addr_i18n_zip text,
-    addr_i18n_name text,
-    addr_i18n_org text,
-    addr_i18n_type text,
-    last_transfer_time timestamp with time zone,
-    addr_local_city text,
-    addr_local_country_code text,
-    addr_local_state text,
-    addr_local_street_line1 text,
-    addr_local_street_line2 text,
-    addr_local_street_line3 text,
-    addr_local_zip text,
-    addr_local_name text,
-    addr_local_org text,
-    addr_local_type text,
-    search_name text,
-    transfer_poll_message_id_1 bigint,
-    transfer_poll_message_id_2 bigint,
-    transfer_client_txn_id text,
-    transfer_server_txn_id text,
-    transfer_gaining_registrar_id text,
-    transfer_losing_registrar_id text,
-    transfer_pending_expiration_time timestamp with time zone,
-    transfer_request_time timestamp with time zone,
-    transfer_status text,
-    voice_phone_extension text,
-    voice_phone_number text,
-    creation_registrar_id text,
-    creation_time timestamp with time zone,
-    current_sponsor_registrar_id text,
-    deletion_time timestamp with time zone,
-    last_epp_update_registrar_id text,
-    last_epp_update_time timestamp with time zone,
-    statuses text[],
-    contact_repo_id text NOT NULL,
-    update_timestamp timestamp with time zone,
-    transfer_history_entry_id bigint,
-    transfer_repo_id text,
-    transfer_poll_message_id_3 bigint,
-    last_update_time_via_epp timestamp with time zone
-);
-
-
 --
 -- Name: Cursor; Type: TABLE; Schema: public; Owner: -
 --
@@ -1596,22 +1452,6 @@ ALTER TABLE ONLY public."ConsoleUpdateHistory"
    ADD CONSTRAINT "ConsoleUpdateHistory_pkey" PRIMARY KEY (revision_id);


--
-- Name: ContactHistory ContactHistory_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."ContactHistory"
-    ADD CONSTRAINT "ContactHistory_pkey" PRIMARY KEY (contact_repo_id, history_revision_id);
-
-
--
-- Name: Contact Contact_pkey; Type: CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."Contact"
-    ADD CONSTRAINT "Contact_pkey" PRIMARY KEY (repo_id);
-
-
 --
 -- Name: Cursor Cursor_pkey; Type: CONSTRAINT; Schema: public; Owner: -
 --
@@ -2112,13 +1952,6 @@ CREATE INDEX idx1dyqmqb61xbnj7mt7bk27ds25 ON public."DomainTransactionRecord" US
 CREATE INDEX idx1iy7njgb7wjmj9piml4l2g0qi ON public."HostHistory" USING btree (history_registrar_id);


--
-- Name: idx1p3esngcwwu6hstyua6itn6ff; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idx1p3esngcwwu6hstyua6itn6ff ON public."Contact" USING btree (search_name);
-
-
 --
 -- Name: idx1rcgkdd777bpvj0r94sltwd5y; Type: INDEX; Schema: public; Owner: -
 --
@@ -2147,13 +1980,6 @@ CREATE INDEX idx3d1mucv7axrhud8w8jl4vsu62 ON public."RegistrarUpdateHistory" USI
 CREATE INDEX idx3y3k7m2bkgahm9sixiohgyrga ON public."Domain" USING btree (transfer_billing_event_id);


--
-- Name: idx3y752kr9uh4kh6uig54vemx0l; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idx3y752kr9uh4kh6uig54vemx0l ON public."Contact" USING btree (creation_time);
-
-
 --
 -- Name: idx4ytbe5f3b39trsd4okx5ijhs4; Type: INDEX; Schema: public; Owner: -
 --
@@ -2280,13 +2106,6 @@ CREATE INDEX idx8nr0ke9mrrx4ewj6pd2ag4rmr ON public."Domain" USING btree (creati
 CREATE INDEX idx9g3s7mjv1yn4t06nqid39whss ON public."AllocationToken" USING btree (token_type);


--
-- Name: idx9q53px6r302ftgisqifmc6put; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idx9q53px6r302ftgisqifmc6put ON public."ContactHistory" USING btree (history_type);
-
-
 --
 -- Name: idx_console_update_history_acting_user; Type: INDEX; Schema: public; Owner: -
 --
@@ -2364,13 +2183,6 @@ CREATE INDEX idxbgssjudpm428mrv0xfpvgifps ON public."GracePeriod" USING btree (b
 CREATE INDEX idxbjacjlm8ianc4kxxvamnu94k5 ON public."UserUpdateHistory" USING btree (history_acting_user);


--
-- Name: idxbn8t4wp85fgxjl8q4ctlscx55; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idxbn8t4wp85fgxjl8q4ctlscx55 ON public."Contact" USING btree (current_sponsor_registrar_id);
-
-
 --
 -- Name: idxcclyb3n5gbex8u8m9fjlujitw; Type: INDEX; Schema: public; Owner: -
 --
@@ -2455,13 +2267,6 @@ CREATE INDEX idxhlqqd5uy98cjyos72d81x9j95 ON public."DelegationSignerData" USING
 CREATE INDEX idxhmv411mdqo5ibn4vy7ykxpmlv ON public."BillingEvent" USING btree (allocation_token);


--
-- Name: idxhp33wybmb6tbpr1bq7ttwk8je; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idxhp33wybmb6tbpr1bq7ttwk8je ON public."ContactHistory" USING btree (history_registrar_id);
-
-
 --
 -- Name: idxhteajcrxmq4o8rsys8kevyiqr; Type: INDEX; Schema: public; Owner: -
 --
@@ -2595,13 +2400,6 @@ CREATE INDEX idxm6k18dusy2lfi5y81k8g256sa ON public."RegistrarUpdateHistory" USI
 CREATE INDEX idxmk1d2ngdtfkg6odmw7l5ejisw ON public."DomainDsDataHistory" USING btree (domain_repo_id, domain_history_revision_id);


--
-- Name: idxn1f711wicdnooa2mqb7g1m55o; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idxn1f711wicdnooa2mqb7g1m55o ON public."Contact" USING btree (deletion_time);
-
-
 --
 -- Name: idxn898pb9mwcg359cdwvolb11ck; Type: INDEX; Schema: public; Owner: -
 --
@@ -2630,20 +2428,6 @@ CREATE INDEX idxnjhib7v6fj7dhj5qydkefkl2u ON public."Domain" USING btree (lordn_
 CREATE INDEX idxnuyqo6hrtuvbcmuecf7vkfmle ON public."PollMessage" USING btree (domain_repo_id, domain_history_revision_id);


--
-- Name: idxo1xdtpij2yryh0skxe9v91sep; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idxo1xdtpij2yryh0skxe9v91sep ON public."ContactHistory" USING btree (creation_time);
-
-
--
-- Name: idxoqd7n4hbx86hvlgkilq75olas; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idxoqd7n4hbx86hvlgkilq75olas ON public."Contact" USING btree (contact_id);
-
-
 --
 -- Name: idxoqttafcywwdn41um6kwlt0n8b; Type: INDEX; Schema: public; Owner: -
 --
@@ -2756,13 +2540,6 @@ CREATE INDEX idxsfci08jgsymxy6ovh4k7r358c ON public."Domain" USING btree (billin
 CREATE INDEX idxsu1nam10cjes9keobapn5jvxj ON public."DomainHistory" USING btree (history_type);


--
-- Name: idxsudwswtwqnfnx2o1hx4s0k0g5; Type: INDEX; Schema: public; Owner: -
--
-
-CREATE INDEX idxsudwswtwqnfnx2o1hx4s0k0g5 ON public."ContactHistory" USING btree (history_modification_time);
-
-
 --
 -- Name: idxtmlqd31dpvvd2g1h9i7erw6aj; Type: INDEX; Schema: public; Owner: -
 --
@@ -2833,14 +2610,6 @@ CREATE INDEX spec11threatmatch_registrar_id_idx ON public."Spec11ThreatMatch" US
 CREATE INDEX spec11threatmatch_tld_idx ON public."Spec11ThreatMatch" USING btree (tld);


--
-- Name: Contact fk1sfyj7o7954prbn1exk7lpnoe; Type: FK CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."Contact"
-    ADD CONSTRAINT fk1sfyj7o7954prbn1exk7lpnoe FOREIGN KEY (creation_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;
-
-
 --
 -- Name: Domain fk2jc69qyg2tv9hhnmif6oa1cx1; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
@@ -2881,14 +2650,6 @@ ALTER TABLE ONLY public."ClaimsEntry"
    ADD CONSTRAINT fk6sc6at5hedffc0nhdcab6ivuq FOREIGN KEY (revision_id) REFERENCES public."ClaimsList"(revision_id) DEFERRABLE INITIALLY DEFERRED;


--
-- Name: Contact fk93c185fx7chn68uv7nl6uv2s0; Type: FK CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."Contact"
-    ADD CONSTRAINT fk93c185fx7chn68uv7nl6uv2s0 FOREIGN KEY (current_sponsor_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;
-
-
 --
 -- Name: BillingCancellation fk_billing_cancellation_billing_event_id; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
@@ -2953,30 +2714,6 @@ ALTER TABLE ONLY public."ConsoleUpdateHistory"
    ADD CONSTRAINT fk_console_update_history_acting_user FOREIGN KEY (acting_user) REFERENCES public."User"(email_address);


--
-- Name: ContactHistory fk_contact_history_registrar_id; Type: FK CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."ContactHistory"
-    ADD CONSTRAINT fk_contact_history_registrar_id FOREIGN KEY (history_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;
-
-
--
-- Name: Contact fk_contact_transfer_gaining_registrar_id; Type: FK CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."Contact"
-    ADD CONSTRAINT fk_contact_transfer_gaining_registrar_id FOREIGN KEY (transfer_gaining_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;
-
-
--
-- Name: Contact fk_contact_transfer_losing_registrar_id; Type: FK CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."Contact"
-    ADD CONSTRAINT fk_contact_transfer_losing_registrar_id FOREIGN KEY (transfer_losing_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;
-
-
 --
 -- Name: Domain fk_domain_billing_recurrence_id; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
@@ -3257,14 +2994,6 @@ ALTER TABLE ONLY public."Domain"
    ADD CONSTRAINT fkjc0r9r5y1lfbt4gpbqw4wsuvq FOREIGN KEY (last_epp_update_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;


--
-- Name: Contact fkmb7tdiv85863134w1wogtxrb2; Type: FK CONSTRAINT; Schema: public; Owner: -
--
-
-ALTER TABLE ONLY public."Contact"
-    ADD CONSTRAINT fkmb7tdiv85863134w1wogtxrb2 FOREIGN KEY (last_epp_update_registrar_id) REFERENCES public."Registrar"(registrar_id) DEFERRABLE INITIALLY DEFERRED;
-
-
 --
 -- Name: PremiumEntry fko0gw90lpo1tuee56l0nb6y6g5; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
--- a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
+++ b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
@@ -70,10 +70,10 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
  /**
   * The list of cipher suites that are currently acceptable to create a successful handshake.
   *
-   * <p>This list includes all of the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with
-   * no known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the
-   * ciphers internally but the IANA names listed here will be transparently translated by the
-   * OpenSSL provider (if used), so there is no need to include the OpenSSL name variants here. More
+   * <p>This list includes all the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with no
+   * known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the ciphers
+   * internally but the IANA names listed here will be transparently translated by the OpenSSL
+   * provider (if used), so there is no need to include the OpenSSL name variants here. More
   * information about these cipher suites and their OpenSSL names can be found at ciphersuite.info.
   */
  private static final ImmutableList<String> ALLOWED_TLS_CIPHERS =
@@ -90,6 +90,10 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
          "TLS_AES_128_CCM_SHA256",
          "TLS_AES_128_CCM_8_SHA256");

+  /** Thankfully, the JDK supports TLS version 1.3 now. */
+  private static final ImmutableList<String> SUPPORTED_TLS_VERSIONS =
+      ImmutableList.of("TLSv1.3", "TLSv1.2");
+
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
  private final boolean requireClientCert;
  // TODO(jianglai): Always validate client certs (if required).
@@ -99,7 +103,6 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
  // change when the artifacts on GCS changes.
  private final Supplier<PrivateKey> privateKeySupplier;
  private final Supplier<ImmutableList<X509Certificate>> certificatesSupplier;
-  private final ImmutableList<String> supportedSslVersions;

  public SslServerInitializer(
      boolean requireClientCert,
@@ -116,12 +119,6 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
    this.sslProvider = sslProvider;
    this.privateKeySupplier = privateKeySupplier;
    this.certificatesSupplier = certificatesSupplier;
-    this.supportedSslVersions =
-        sslProvider == SslProvider.OPENSSL
-            ? ImmutableList.of("TLSv1.3", "TLSv1.2")
-            // JDK support for TLS 1.3 won't be available until 2021-04-20 at the earliest.
-            // See: https://java.com/en/jre-jdk-cryptoroadmap.html
-            : ImmutableList.of("TLSv1.2");
  }

  @Override
@@ -133,7 +130,7 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
            .sslProvider(sslProvider)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE)
-            .protocols(supportedSslVersions)
+            .protocols(SUPPORTED_TLS_VERSIONS)
            .ciphers(ALLOWED_TLS_CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
            .build();

--- a/proxy/terraform/example_config.tf
+++ b/proxy/terraform/example_config.tf
@@ -12,7 +12,4 @@ module "proxy" {
  gcr_project_name         = "YOUR_GCR_PROJECT"
  proxy_domain_name        = "YOUR_PROXY_DOMAIN"
  proxy_certificate_bucket = "YOUR_CERTIFICATE_BUCKET"
-
-  # Uncomment to disable forwarding of whois HTTP interfaces.
-  # public_web_whois         = 0
 }
--- a/proxy/terraform/modules/networking.tf
+++ b/proxy/terraform/modules/networking.tf
@@ -9,7 +9,6 @@ module "proxy_networking" {
  proxy_ports           = var.proxy_ports
  proxy_domain          = google_dns_managed_zone.proxy_domain.name
  proxy_domain_name     = google_dns_managed_zone.proxy_domain.dns_name
-  public_web_whois      = var.public_web_whois
 }

 module "proxy_networking_canary" {
@@ -19,5 +18,4 @@ module "proxy_networking_canary" {
  proxy_ports           = var.proxy_ports_canary
  proxy_domain          = google_dns_managed_zone.proxy_domain.name
  proxy_domain_name     = google_dns_managed_zone.proxy_domain.dns_name
-  public_web_whois      = var.public_web_whois
 }
--- a/proxy/terraform/modules/networking/dns.tf
+++ b/proxy/terraform/modules/networking/dns.tf
@@ -13,19 +13,3 @@ resource "google_dns_record_set" "proxy_epp_aaaa_record" {
  managed_zone = var.proxy_domain
  rrdatas      = [google_compute_global_address.proxy_ipv6_address.address]
 }
-
-resource "google_dns_record_set" "proxy_whois_a_record" {
-  name         = "whois${var.suffix}.${var.proxy_domain_name}"
-  type         = "A"
-  ttl          = 300
-  managed_zone = var.proxy_domain
-  rrdatas      = [google_compute_global_address.proxy_ipv4_address.address]
-}
-
-resource "google_dns_record_set" "proxy_whois_aaaa_record" {
-  name         = "whois${var.suffix}.${var.proxy_domain_name}"
-  type         = "AAAA"
-  ttl          = 300
-  managed_zone = var.proxy_domain
-  rrdatas      = [google_compute_global_address.proxy_ipv6_address.address]
-}
--- a/proxy/terraform/modules/networking/loadbalancer.tf
+++ b/proxy/terraform/modules/networking/loadbalancer.tf
@@ -17,10 +17,7 @@ resource "google_compute_firewall" "proxy_firewall" {

    ports = [
      var.proxy_ports["epp"],
-      var.proxy_ports["whois"],
      var.proxy_ports["health_check"],
-      var.proxy_ports["http-whois"],
-      var.proxy_ports["https-whois"],
    ]
  }

@@ -44,21 +41,6 @@ resource "google_compute_health_check" "proxy_health_check" {
  }
 }

-resource "google_compute_health_check" "proxy_http_health_check" {
-  name = "proxy-http-health-check${var.suffix}"
-
-  http_health_check {
-    host         = "health-check.invalid"
-    port         = var.proxy_ports["http-whois"]
-    request_path = "/"
-  }
-}
-
-resource "google_compute_url_map" "proxy_url_map" {
-  name            = "proxy-url-map${var.suffix}"
-  default_service = google_compute_backend_service.http_whois_backend_service.self_link
-}
-
 resource "google_compute_backend_service" "epp_backend_service" {
  name        = "epp-backend-service${var.suffix}"
  protocol    = "TCP"
@@ -82,97 +64,12 @@ resource "google_compute_backend_service" "epp_backend_service" {
  ]
 }

-resource "google_compute_backend_service" "whois_backend_service" {
-  name        = "whois-backend-service${var.suffix}"
-  protocol    = "TCP"
-  timeout_sec = 60
-  port_name   = "whois${var.suffix}"
-
-  backend {
-    group = var.proxy_instance_groups["americas"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["emea"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["apac"]
-  }
-
-  health_checks = [
-    google_compute_health_check.proxy_health_check.self_link,
-  ]
-}
-
-resource "google_compute_backend_service" "https_whois_backend_service" {
-  name        = "https-whois-backend-service${var.suffix}"
-  protocol    = "TCP"
-  timeout_sec = 60
-  port_name   = "https-whois${var.suffix}"
-
-  backend {
-    group = var.proxy_instance_groups["americas"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["emea"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["apac"]
-  }
-
-  health_checks = [
-    google_compute_health_check.proxy_health_check.self_link,
-  ]
-}
-
-resource "google_compute_backend_service" "http_whois_backend_service" {
-  name        = "http-whois-backend-service${var.suffix}"
-  protocol    = "HTTP"
-  timeout_sec = 60
-  port_name   = "http-whois${var.suffix}"
-
-  backend {
-    group = var.proxy_instance_groups["americas"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["emea"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["apac"]
-  }
-
-  health_checks = [
-    google_compute_health_check.proxy_http_health_check.self_link,
-  ]
-}
-
 resource "google_compute_target_tcp_proxy" "epp_tcp_proxy" {
  name            = "epp-tcp-proxy${var.suffix}"
  proxy_header    = "PROXY_V1"
  backend_service = google_compute_backend_service.epp_backend_service.self_link
 }

-resource "google_compute_target_tcp_proxy" "whois_tcp_proxy" {
-  name            = "whois-tcp-proxy${var.suffix}"
-  proxy_header    = "PROXY_V1"
-  backend_service = google_compute_backend_service.whois_backend_service.self_link
-}
-
-resource "google_compute_target_tcp_proxy" "https_whois_tcp_proxy" {
-  name            = "https-whois-tcp-proxy${var.suffix}"
-  backend_service = google_compute_backend_service.https_whois_backend_service.self_link
-}
-
-resource "google_compute_target_http_proxy" "http_whois_http_proxy" {
-  name    = "http-whois-tcp-proxy${var.suffix}"
-  url_map = google_compute_url_map.proxy_url_map.self_link
-}
-
 resource "google_compute_global_forwarding_rule" "epp_ipv4_forwarding_rule" {
  name       = "epp-ipv4-forwarding-rule${var.suffix}"
  ip_address = google_compute_global_address.proxy_ipv4_address.address
@@ -186,49 +83,3 @@ resource "google_compute_global_forwarding_rule" "epp_ipv6_forwarding_rule" {
  target     = google_compute_target_tcp_proxy.epp_tcp_proxy.self_link
  port_range = "700"
 }
-
-resource "google_compute_global_forwarding_rule" "whois_ipv4_forwarding_rule" {
-  name       = "whois-ipv4-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv4_address.address
-  target     = google_compute_target_tcp_proxy.whois_tcp_proxy.self_link
-  port_range = "43"
-}
-
-resource "google_compute_global_forwarding_rule" "whois_ipv6_forwarding_rule" {
-  name       = "whois-ipv6-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv6_address.address
-  target     = google_compute_target_tcp_proxy.whois_tcp_proxy.self_link
-  port_range = "43"
-}
-
-resource "google_compute_global_forwarding_rule" "https_whois_ipv4_forwarding_rule" {
-  name       = "https-whois-ipv4-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv4_address.address
-  target     = google_compute_target_tcp_proxy.https_whois_tcp_proxy.self_link
-  port_range = "443"
-  count      = var.public_web_whois
-}
-
-resource "google_compute_global_forwarding_rule" "https_whois_ipv6_forwarding_rule" {
-  name       = "https-whois-ipv6-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv6_address.address
-  target     = google_compute_target_tcp_proxy.https_whois_tcp_proxy.self_link
-  port_range = "443"
-  count      = var.public_web_whois
-}
-
-resource "google_compute_global_forwarding_rule" "http_whois_ipv4_forwarding_rule" {
-  name       = "http-whois-ipv4-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv4_address.address
-  target     = google_compute_target_http_proxy.http_whois_http_proxy.self_link
-  port_range = "80"
-  count      = var.public_web_whois
-}
-
-resource "google_compute_global_forwarding_rule" "http_whois_ipv6_forwarding_rule" {
-  name       = "http-whois-ipv6-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv6_address.address
-  target     = google_compute_target_http_proxy.http_whois_http_proxy.self_link
-  port_range = "80"
-  count      = var.public_web_whois
-}
--- a/proxy/terraform/modules/networking/variables.tf
+++ b/proxy/terraform/modules/networking/variables.tf
@@ -20,13 +20,3 @@ variable "proxy_domain" {
 variable "proxy_domain_name" {
  description = "Domain name of the zone."
 }
-
-variable "public_web_whois" {
-  type        = number
-  description = <<EOF
-    Set to 1 if the whois HTTP ports are external, 0 if not.  This is necessary
-    because our test projects are configured with
-    constraints/compute.restrictLoadBalancerCreationForTypes, which prohibits
-    forwarding external HTTP(s) connections.
-    EOF
-}
--- a/proxy/terraform/modules/variables.tf
+++ b/proxy/terraform/modules/variables.tf
@@ -8,7 +8,7 @@ variable "gcr_project_name" {

 variable "proxy_domain_name" {
  description = <<EOF
-    The base domain name of the proxy, without the whois. or epp. part.
+    The base domain name of the proxy, without the epp. part.
    EOF
 }

@@ -35,10 +35,7 @@ variable "proxy_ports" {

  default = {
    health_check = 30000
-    whois        = 30001
    epp          = 30002
-    http-whois   = 30010
-    https-whois  = 30011
  }
 }

@@ -48,20 +45,6 @@ variable "proxy_ports_canary" {

  default = {
    health_check = 31000
-    whois        = 31001
    epp          = 31002
-    http-whois   = 31010
-    https-whois  = 31011
  }
 }
-
-variable "public_web_whois" {
-  type        = number
-  default     = 1
-  description = <<EOF
-    Set to 1 if the whois HTTP ports are external, 0 if not.  This is necessary
-    because our test projects are configured with
-    constraints/compute.restrictLoadBalancerCreationForTypes, which prohibits
-    forwarding external HTTP(s) connections.
-    EOF
-}
--- a/proxy/terraform/update_named_ports.sh
+++ b/proxy/terraform/update_named_ports.sh
@@ -18,9 +18,8 @@
 # the project, zone and instance group names, and then call gcloud to add the
 # named ports.

-PROD_PORTS="whois:30001,epp:30002,http-whois:30010,https-whois:30011"
-CANARY_PORTS="whois-canary:31001,epp-canary:31002,"\
-"http-whois-canary:31010,https-whois-canary:31011"
+PROD_PORTS="epp:30002"
+CANARY_PORTS="epp-canary:31002"

 while read line
 do
Author	SHA1	Message	Date
gbrodman	f2cfd36b73	Always allow both TLS 1.2 and 1.3 (#2978 ) The JDK version of SSL has long supported TLS v1.3 (since version 11) so fortunately we can use TLS v1.3 regardless if which implementation of SSL we're using. We prefer OpenSSL in general so I'm not entirely sure why we were using the JDK version of SSL on the proxy before, but this should work and be a good idea regardless. Tested on alpha by running ``` $ openssl s_client -connect epp.registryalpha.foo:700 -tls1_3 -ciphersuites "TLS_AES_128_GCM_SHA256" ``` Previously we'd get a failure, now it returns the proper cert data.	2026-03-09 22:51:17 +00:00
Weimin Yu	8ea5fe3774	Enable Fee-1.0 extension in prod (#2975 ) This extension has been in Sandbox for more than a month.	2026-03-05 20:22:33 +00:00
gbrodman	9544d70048	Remove whois networking from the proxy (#2976 )	2026-03-04 20:14:42 +00:00
gbrodman	50a639937a	Remove Contact and ContactHistory SQL tables (#2977 ) We no longer use or reference these anywhere in the codebase.	2026-03-04 18:49:06 +00:00