diff options
author | Harald Musum <musum@verizonmedia.com> | 2019-11-21 08:17:54 +0100 |
---|---|---|
committer | Harald Musum <musum@verizonmedia.com> | 2019-11-21 08:17:54 +0100 |
commit | f50320c26942304629d79c80cdc6776f4c486f7e (patch) | |
tree | 446122ef06eca481248d100f145a9868049e440c | |
parent | 05377eb166b3d310774545fdd35172991dba9390 (diff) |
Remove more cipher suites not supported by Java 11 from set configured for use by ZooKeeper
3 files changed, 15 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 5253e9e6a7e..6ad5f6c3612 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -13,7 +13,16 @@ import java.util.Set; */ public interface TlsContext extends AutoCloseable { - // TODO: Where does this set come from? + /** + * Handpicked subset of supported ciphers from https://www.openssl.org/docs/manmaster/man1/ciphers.html + * based on Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS + * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM. + * For TLSv1.3 we allow the DEFAULT group ciphers. + * Note that we _only_ allow AEAD ciphers for either TLS version. + */ + // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256? + // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Set<String> ALLOWED_CIPHER_SUITES = Set.of( "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", diff --git a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java index 8b880ba6a97..fe4a3170954 100644 --- a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java +++ b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -165,8 +165,11 @@ public class VespaZooKeeperServerImpl extends AbstractComponent implements Runna private TreeSet<String> getCipherSuites() { Set<String> cipherSuites = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); - // Remove cipher suite not supported by Java + // Remove cipher suites not supported by Java 11 cipherSuites.remove("TLS_CHACHA20_POLY1305_SHA256"); + cipherSuites.remove("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); + cipherSuites.remove("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); + cipherSuites.remove("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); return new TreeSet<>(cipherSuites); } diff --git a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java index 1f995655fd1..64feec7b9ed 100644 --- a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java +++ b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java @@ -204,7 +204,7 @@ public class VespaZooKeeperServerImplTest { private String commonTlsConfig() { return "ssl.quorum.hostnameVerification=false\n" + "ssl.quorum.clientAuth=NEED\n" + - "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + "ssl.quorum.enabledProtocols=TLSv1.2\n" + "ssl.quorum.protocol=TLS\n"; } |