diff options
author | Arnstein Ressem <aressem@gmail.com> | 2022-04-08 21:01:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-08 21:01:30 +0200 |
commit | f752ae285c34841561b94238e915a085c9ebdd00 (patch) | |
tree | 02f41fd24bfa479a01301b3777228660dc0f563b | |
parent | c391dd7876516ec296430723ad4f1969dd988003 (diff) |
Revert "Revert "Add recommended java.security options.""
-rwxr-xr-x | configserver/src/main/sh/start-configserver | 13 | ||||
-rwxr-xr-x | container-disc/src/main/sh/vespa-start-container-daemon.sh | 1 | ||||
-rw-r--r-- | dist/vespa.spec | 1 | ||||
-rwxr-xr-x | standalone-container/src/main/sh/standalone-container.sh | 1 | ||||
-rw-r--r-- | vespabase/conf/java.security.override | 22 |
5 files changed, 32 insertions, 6 deletions
diff --git a/configserver/src/main/sh/start-configserver b/configserver/src/main/sh/start-configserver index 81382fcea9a..4ed972245ae 100755 --- a/configserver/src/main/sh/start-configserver +++ b/configserver/src/main/sh/start-configserver @@ -172,14 +172,15 @@ vespa-run-as-vespa-user vespa-runserver -s configserver -r 30 -p $pidfile -- \ -XX:-OmitStackTraceInFastThrow \ -XX:MaxJavaStackTraceDepth=1000000 \ $jvmargs \ - --add-opens=java.base/java.io=ALL-UNNAMED \ - --add-opens=java.base/java.lang=ALL-UNNAMED \ - --add-opens=java.base/java.net=ALL-UNNAMED \ - --add-opens=java.base/java.nio=ALL-UNNAMED \ - --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED \ - --add-opens=java.base/sun.security.ssl=ALL-UNNAMED \ + --add-opens=java.base/java.io=ALL-UNNAMED \ + --add-opens=java.base/java.lang=ALL-UNNAMED \ + --add-opens=java.base/java.net=ALL-UNNAMED \ + --add-opens=java.base/java.nio=ALL-UNNAMED \ + --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED \ + --add-opens=java.base/sun.security.ssl=ALL-UNNAMED \ -Djava.io.tmpdir=${VESPA_HOME}/tmp \ -Djava.library.path=${VESPA_HOME}/lib64 \ + -Djava.security.properties=${VESPA_HOME}/conf/vespa/java.security.override \ -Djava.awt.headless=true \ -Dsun.rmi.dgc.client.gcInterval=3600000 \ -Dsun.net.client.defaultConnectTimeout=5000 -Dsun.net.client.defaultReadTimeout=60000 \ diff --git a/container-disc/src/main/sh/vespa-start-container-daemon.sh b/container-disc/src/main/sh/vespa-start-container-daemon.sh index a6c2c5999a8..19d54b2cfea 100755 --- a/container-disc/src/main/sh/vespa-start-container-daemon.sh +++ b/container-disc/src/main/sh/vespa-start-container-daemon.sh @@ -285,6 +285,7 @@ exec $numactlcmd $envcmd java \ --add-opens=java.base/sun.security.ssl=ALL-UNNAMED \ -Djava.io.tmpdir="${VESPA_HOME}/tmp" \ -Djava.library.path="${VESPA_HOME}/lib64" \ + -Djava.security.properties=${VESPA_HOME}/conf/vespa/java.security.override \ -Djava.awt.headless=true \ -Djavax.net.ssl.keyStoreType=JKS \ -Djdk.tls.rejectClientInitiatedRenegotiation=true \ diff --git a/dist/vespa.spec b/dist/vespa.spec index ce2f0137262..71d976f64a3 100644 --- a/dist/vespa.spec +++ b/dist/vespa.spec @@ -783,6 +783,7 @@ fi %dir %{_prefix}/conf %dir %{_prefix}/conf/vespa %config(noreplace) %{_prefix}/conf/vespa/default-env.txt +%config(noreplace) %{_prefix}/conf/vespa/java.security.override %{_prefix}/jdk %dir %{_prefix}/lib %dir %{_prefix}/lib/jars diff --git a/standalone-container/src/main/sh/standalone-container.sh b/standalone-container/src/main/sh/standalone-container.sh index b34535c6867..dc82235f6c4 100755 --- a/standalone-container/src/main/sh/standalone-container.sh +++ b/standalone-container/src/main/sh/standalone-container.sh @@ -176,6 +176,7 @@ StartCommand() { --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED \ --add-opens=java.base/sun.security.ssl=ALL-UNNAMED \ -Djava.library.path="$VESPA_HOME/lib64" \ + -Djava.security.properties=${VESPA_HOME}/conf/vespa/java.security.override \ -Djava.awt.headless=true \ -Dsun.rmi.dgc.client.gcInterval=3600000 \ -Dsun.net.client.defaultConnectTimeout=5000 \ diff --git a/vespabase/conf/java.security.override b/vespabase/conf/java.security.override new file mode 100644 index 00000000000..5acbb15303b --- /dev/null +++ b/vespabase/conf/java.security.override @@ -0,0 +1,22 @@ +securerandom.source=file:/dev/urandom +networkaddress.cache.ttl=5 +networkaddress.cache.negative.ttl=5 +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + DES40_CBC, RC4_40, 3DES_EDE_CBC, \ + TLS_RSA_WITH_3DES_EDE_CBC_SHA, \ + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, \ + RSA_WITH_3DES_EDE_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC, \ + 3DES_EDE_CBC |