Remove more cipher suites not supported by Java 11 from set configured for use by ZooKeeper

author: Harald Musum <musum@verizonmedia.com> 2019-11-21 08:17:54 +0100
committer: Harald Musum <musum@verizonmedia.com> 2019-11-21 08:17:54 +0100
commit: f50320c26942304629d79c80cdc6776f4c486f7e (patch)
tree: 446122ef06eca481248d100f145a9868049e440c
parent: 05377eb166b3d310774545fdd35172991dba9390 (diff)
3 files changed, 15 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
index 5253e9e6a7e..6ad5f6c3612 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java
@@ -13,7 +13,16 @@ import java.util.Set;
  */
 public interface TlsContext extends AutoCloseable {
 
-    // TODO: Where does this set come from?
+    /**
+     * Handpicked subset of supported ciphers from https://www.openssl.org/docs/manmaster/man1/ciphers.html
+     * based on Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS
+     * For TLSv1.2 we only allow RSA and ECDSA with ephemeral key exchange and GCM.
+     * For TLSv1.3 we allow the DEFAULT group ciphers.
+     * Note that we _only_ allow AEAD ciphers for either TLS version.
+     */
+    // TODO: Remove TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256?
+    // These cipher suites are not supported in Java 11, see https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
     Set<String> ALLOWED_CIPHER_SUITES = Set.of(
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
diff --git a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java
index 8b880ba6a97..fe4a3170954 100644
--- a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java
+++ b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java
@@ -165,8 +165,11 @@ public class VespaZooKeeperServerImpl extends AbstractComponent implements Runna
 
     private TreeSet<String> getCipherSuites() {
         Set<String> cipherSuites = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES);
-        // Remove cipher suite not supported by Java
+        // Remove cipher suites not supported by Java 11
         cipherSuites.remove("TLS_CHACHA20_POLY1305_SHA256");
+        cipherSuites.remove("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
+        cipherSuites.remove("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256");
+        cipherSuites.remove("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
         return new TreeSet<>(cipherSuites);
     }
 
diff --git a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java
index 1f995655fd1..64feec7b9ed 100644
--- a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java
+++ b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java
@@ -204,7 +204,7 @@ public class VespaZooKeeperServerImplTest {
     private String commonTlsConfig() {
         return "ssl.quorum.hostnameVerification=false\n" +
                "ssl.quorum.clientAuth=NEED\n" +
-               "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" +
+               "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" +
                "ssl.quorum.enabledProtocols=TLSv1.2\n" +
                "ssl.quorum.protocol=TLS\n";
     }
author	Harald Musum <musum@verizonmedia.com>	2019-11-21 08:17:54 +0100
committer	Harald Musum <musum@verizonmedia.com>	2019-11-21 08:17:54 +0100
commit	f50320c26942304629d79c80cdc6776f4c486f7e (patch)
tree	446122ef06eca481248d100f145a9868049e440c
parent	05377eb166b3d310774545fdd35172991dba9390 (diff)