diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-11-25 17:39:10 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-11-25 17:41:13 +0100 |
commit | aff2569d1d8b3250cb873a8ab9fcbf3579fda8e3 (patch) | |
tree | a82b327e39cbdc2221d9078fa88de6f3cddcf974 /zookeeper-server | |
parent | f4546c5c11cba8725adeba626ed37a335f2ab578 (diff) |
Use new methods in TlsContext to determine supported SSL parameters
Diffstat (limited to 'zookeeper-server')
2 files changed, 14 insertions, 18 deletions
diff --git a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java index fe4a3170954..17edfb22d56 100644 --- a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java +++ b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -9,14 +9,14 @@ import com.yahoo.security.KeyStoreBuilder; import com.yahoo.security.KeyStoreType; import com.yahoo.security.KeyStoreUtils; import com.yahoo.security.KeyUtils; +import com.yahoo.security.SslContextBuilder; import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityOptions; import com.yahoo.security.tls.TransportSecurityUtils; import com.yahoo.text.Utf8; -import static com.yahoo.vespa.defaults.Defaults.getDefaults; - +import javax.net.ssl.SSLContext; import java.io.File; import java.io.FileWriter; import java.io.IOException; @@ -25,13 +25,14 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; -import java.util.HashSet; import java.util.List; import java.util.Optional; import java.util.Set; import java.util.TreeSet; import java.util.stream.Collectors; +import static com.yahoo.vespa.defaults.Defaults.getDefaults; + /** * Writes zookeeper config and starts zookeeper server. * @@ -120,12 +121,17 @@ public class VespaZooKeeperServerImpl extends AbstractComponent implements Runna StringBuilder sb = new StringBuilder(); + // Create a SSLContext instance and determine the allowed ciphers/versions supported by the JVM's default provider. + SSLContext sslContext = new SslContextBuilder().build(); + Set<String> allowedCiphers = new TreeSet<>(TlsContext.getAllowedCipherSuites(sslContext)); + Set<String> allowedProtocols = new TreeSet<>(TlsContext.getAllowedProtocols(sslContext)); + // Common config sb.append("ssl.quorum.hostnameVerification=false\n"); sb.append("ssl.quorum.clientAuth=NEED\n"); - sb.append("ssl.quorum.ciphersuites=").append(String.join(",", getCipherSuites())).append("\n"); - sb.append("ssl.quorum.enabledProtocols=").append(String.join(",", new TreeSet<>(TlsContext.ALLOWED_PROTOCOLS))).append("\n"); - sb.append("ssl.quorum.protocol=TLS\n"); + sb.append("ssl.quorum.ciphersuites=").append(String.join(",", allowedCiphers)).append("\n"); + sb.append("ssl.quorum.enabledProtocols=").append(String.join(",", allowedProtocols)).append("\n"); + sb.append("ssl.quorum.protocol=").append(sslContext.getProtocol()).append("\n"); boolean sslQuorum; boolean portUnification; @@ -163,16 +169,6 @@ public class VespaZooKeeperServerImpl extends AbstractComponent implements Runna return sb.toString(); } - private TreeSet<String> getCipherSuites() { - Set<String> cipherSuites = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); - // Remove cipher suites not supported by Java 11 - cipherSuites.remove("TLS_CHACHA20_POLY1305_SHA256"); - cipherSuites.remove("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); - cipherSuites.remove("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); - cipherSuites.remove("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); - return new TreeSet<>(cipherSuites); - } - private void writeMyIdFile(ZookeeperServerConfig config) throws IOException { if (config.server().size() > 1) { try (FileWriter writer = new FileWriter(getDefaults().underVespaHome(config.myidFile()))) { diff --git a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java index 64feec7b9ed..f7467a2dbfe 100644 --- a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java +++ b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java @@ -204,9 +204,9 @@ public class VespaZooKeeperServerImplTest { private String commonTlsConfig() { return "ssl.quorum.hostnameVerification=false\n" + "ssl.quorum.clientAuth=NEED\n" + - "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + "ssl.quorum.enabledProtocols=TLSv1.2\n" + - "ssl.quorum.protocol=TLS\n"; + "ssl.quorum.protocol=TLSv1.2\n"; } private void validateConfigFileMultipleHosts(File cfgFile) throws IOException { |