diff options
10 files changed, 111 insertions, 66 deletions
diff --git a/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java b/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java index a6b800a9279..6afe3b74329 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java +++ b/jdisc_http_service/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java @@ -3,6 +3,7 @@ package com.yahoo.container.logging; import java.time.Instant; +import java.util.List; import java.util.Optional; import java.util.UUID; @@ -31,9 +32,7 @@ public class ConnectionLogEntry { private final Instant sslPeerNotBefore; private final Instant sslPeerNotAfter; private final String sslSniServerName; - private final String sslHandshakeFailureException; - private final String sslHandshakeFailureMessage; - private final String sslHandshakeFailureType; + private final SslHandshakeFailure sslHandshakeFailure; private ConnectionLogEntry(Builder builder) { @@ -57,9 +56,7 @@ public class ConnectionLogEntry { this.sslPeerNotBefore = builder.sslPeerNotBefore; this.sslPeerNotAfter = builder.sslPeerNotAfter; this.sslSniServerName = builder.sslSniServerName; - this.sslHandshakeFailureException = builder.sslHandshakeFailureException; - this.sslHandshakeFailureMessage = builder.sslHandshakeFailureMessage; - this.sslHandshakeFailureType = builder.sslHandshakeFailureType; + this.sslHandshakeFailure = builder.sslHandshakeFailure; } public static Builder builder(UUID id, Instant timestamp) { @@ -86,9 +83,33 @@ public class ConnectionLogEntry { public Optional<Instant> sslPeerNotBefore() { return Optional.ofNullable(sslPeerNotBefore); } public Optional<Instant> sslPeerNotAfter() { return Optional.ofNullable(sslPeerNotAfter); } public Optional<String> sslSniServerName() { return Optional.ofNullable(sslSniServerName); } - public Optional<String> sslHandshakeFailureException() { return Optional.ofNullable(sslHandshakeFailureException); } - public Optional<String> sslHandshakeFailureMessage() { return Optional.ofNullable(sslHandshakeFailureMessage); } - public Optional<String> sslHandshakeFailureType() { return Optional.ofNullable(sslHandshakeFailureType); } + public Optional<SslHandshakeFailure> sslHandshakeFailure() { return Optional.ofNullable(sslHandshakeFailure); } + + public static class SslHandshakeFailure { + private final String type; + private final List<ExceptionEntry> exceptionChain; + + public SslHandshakeFailure(String type, List<ExceptionEntry> exceptionChain) { + this.type = type; + this.exceptionChain = List.copyOf(exceptionChain); + } + + public String type() { return type; } + public List<ExceptionEntry> exceptionChain() { return exceptionChain; } + + public static class ExceptionEntry { + private final String name; + private final String message; + + public ExceptionEntry(String name, String message) { + this.name = name; + this.message = message; + } + + public String name() { return name; } + public String message() { return message; } + } + } public static class Builder { private final UUID id; @@ -111,9 +132,7 @@ public class ConnectionLogEntry { private Instant sslPeerNotBefore; private Instant sslPeerNotAfter; private String sslSniServerName; - private String sslHandshakeFailureException; - private String sslHandshakeFailureMessage; - private String sslHandshakeFailureType; + private SslHandshakeFailure sslHandshakeFailure; Builder(UUID id, Instant timestamp) { @@ -194,16 +213,8 @@ public class ConnectionLogEntry { this.sslSniServerName = sslSniServerName; return this; } - public Builder withSslHandshakeFailureException(String exception) { - this.sslHandshakeFailureException = exception; - return this; - } - public Builder withSslHandshakeFailureMessage(String message) { - this.sslHandshakeFailureMessage = message; - return this; - } - public Builder withSslHandshakeFailureType(String type) { - this.sslHandshakeFailureType = type; + public Builder withSslHandshakeFailure(SslHandshakeFailure sslHandshakeFailure) { + this.sslHandshakeFailure = sslHandshakeFailure; return this; } diff --git a/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java b/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java index 394f87c07cc..158d2ec4ea6 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java +++ b/jdisc_http_service/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java @@ -5,6 +5,7 @@ import com.fasterxml.jackson.core.JsonEncoding; import com.fasterxml.jackson.core.JsonFactory; import com.fasterxml.jackson.core.JsonGenerator; import com.fasterxml.jackson.databind.ObjectMapper; +import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry; import java.io.IOException; import java.io.OutputStream; @@ -46,13 +47,11 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> { Instant sslPeerNotBefore = unwrap(record.sslPeerNotBefore()); Instant sslPeerNotAfter = unwrap(record.sslPeerNotAfter()); String sslSniServerName = unwrap(record.sslSniServerName()); - String sslHandshakeFailureException = unwrap(record.sslHandshakeFailureException()); - String sslHandshakeFailureMessage = unwrap(record.sslHandshakeFailureMessage()); - String sslHandshakeFailureType = unwrap(record.sslHandshakeFailureType()); + ConnectionLogEntry.SslHandshakeFailure sslHandshakeFailure = unwrap(record.sslHandshakeFailure()); if (isAnyValuePresent( sslProtocol, sslSessionId, sslCipherSuite, sslPeerSubject, sslPeerNotBefore, sslPeerNotAfter, - sslSniServerName, sslHandshakeFailureException, sslHandshakeFailureMessage, sslHandshakeFailureType)) { + sslSniServerName, sslHandshakeFailure)) { generator.writeObjectFieldStart("ssl"); writeOptionalString(generator, "protocol", sslProtocol); @@ -63,11 +62,17 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> { writeOptionalTimestamp(generator, "peerNotAfter", sslPeerNotAfter); writeOptionalString(generator, "sniServerName", sslSniServerName); - if (isAnyValuePresent(sslHandshakeFailureException, sslHandshakeFailureMessage, sslHandshakeFailureType)) { + if (sslHandshakeFailure != null) { generator.writeObjectFieldStart("handshake-failure"); - writeOptionalString(generator, "exception", sslHandshakeFailureException); - writeOptionalString(generator, "message", sslHandshakeFailureMessage); - writeOptionalString(generator, "type", sslHandshakeFailureType); + generator.writeArrayFieldStart("exception"); + for (ExceptionEntry entry : sslHandshakeFailure.exceptionChain()) { + generator.writeStartObject(); + generator.writeStringField("cause", entry.name()); + generator.writeStringField("message", entry.message()); + generator.writeEndObject(); + } + generator.writeEndArray(); + generator.writeStringField("type", sslHandshakeFailure.type()); generator.writeEndObject(); } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java index cb3a5d046d8..34a91a3bbb4 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java @@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.container.logging.ConnectionLog; import com.yahoo.container.logging.ConnectionLogEntry; +import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry; import com.yahoo.io.HexDump; import com.yahoo.jdisc.http.ServerConfig; import org.eclipse.jetty.io.Connection; @@ -27,6 +28,7 @@ import javax.net.ssl.StandardConstants; import java.net.InetSocketAddress; import java.security.cert.X509Certificate; import java.time.Instant; +import java.util.ArrayList; import java.util.Date; import java.util.List; import java.util.Objects; @@ -222,9 +224,7 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List private Date sslPeerNotBefore; private Date sslPeerNotAfter; private List<SNIServerName> sslSniServerNames; - private String sslHandshakeFailureException; - private String sslHandshakeFailureMessage; - private String sslHandshakeFailureType; + private SSLHandshakeException sslHandshakeException; private ConnectionInfo(UUID uuid, long createdAt, InetSocketAddress localAddress, InetSocketAddress peerAddress) { this.uuid = uuid; @@ -284,11 +284,7 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List } synchronized ConnectionInfo setSslHandshakeFailure(SSLHandshakeException exception) { - this.sslHandshakeFailureException = exception.getClass().getName(); - this.sslHandshakeFailureMessage = exception.getMessage(); - this.sslHandshakeFailureType = SslHandshakeFailure.fromSslHandshakeException(exception) - .map(SslHandshakeFailure::failureType) - .orElse("UNKNOWN"); + this.sslHandshakeException = exception; return this; } @@ -338,10 +334,17 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List .withSslPeerNotAfter(sslPeerNotAfter.toInstant()) .withSslPeerNotBefore(sslPeerNotBefore.toInstant()); } - if (sslHandshakeFailureException != null && sslHandshakeFailureMessage != null && sslHandshakeFailureType != null) { - builder.withSslHandshakeFailureException(sslHandshakeFailureException) - .withSslHandshakeFailureMessage(sslHandshakeFailureMessage) - .withSslHandshakeFailureType(sslHandshakeFailureType); + if (sslHandshakeException != null) { + List<ExceptionEntry> exceptionChain = new ArrayList<>(); + Throwable cause = sslHandshakeException; + while (cause != null) { + exceptionChain.add(new ExceptionEntry(cause.getClass().getName(), cause.getMessage())); + cause = cause.getCause(); + } + String type = SslHandshakeFailure.fromSslHandshakeException(sslHandshakeException) + .map(SslHandshakeFailure::failureType) + .orElse("UNKNOWN"); + builder.withSslHandshakeFailure(new ConnectionLogEntry.SslHandshakeFailure(type, exceptionChain)); } return builder.build(); } diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java index aa28e76ea14..64f70564137 100644 --- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java +++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/server/jetty/SslHandshakeFailure.java @@ -16,7 +16,7 @@ enum SslHandshakeFailure { MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_PROTOCOLS, "INCOMPATIBLE_CLIENT_PROTOCOLS", "(Client requested protocol \\S+? is not enabled or supported in server context" + - "|The client supported protocol versions \\[\\S+?\\] are not accepted by server preferences \\[\\S+?\\])"), + "|The client supported protocol versions \\[.+?\\] are not accepted by server preferences \\[.+?\\])"), INCOMPATIBLE_CIPHERS( MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_CIPHERS, "INCOMPATIBLE_CLIENT_CIPHER_SUITES", @@ -24,7 +24,7 @@ enum SslHandshakeFailure { MISSING_CLIENT_CERT( MetricDefinitions.SSL_HANDSHAKE_FAILURE_MISSING_CLIENT_CERT, "MISSING_CLIENT_CERTIFICATE", - "Empty server certificate chain"), + "Empty (server|client) certificate chain"), EXPIRED_CLIENT_CERTIFICATE( MetricDefinitions.SSL_HANDSHAKE_FAILURE_EXPIRED_CLIENT_CERT, "EXPIRED_CLIENT_CERTIFICATE", diff --git a/jdisc_http_service/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java b/jdisc_http_service/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java index b8978fe489c..8944ae9d288 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java +++ b/jdisc_http_service/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java @@ -1,6 +1,7 @@ package com.yahoo.container.logging;// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. import com.yahoo.test.json.JsonTestHelper; +import com.yahoo.vespa.jdk8compat.List; import org.junit.jupiter.api.Test; import java.io.ByteArrayOutputStream; @@ -20,12 +21,19 @@ class JsonConnectionLogWriterTest { var instant = Instant.parse("2021-01-13T12:12:12Z"); ConnectionLogEntry entry = ConnectionLogEntry.builder(id, instant) .withPeerPort(1234) + .withSslHandshakeFailure(new ConnectionLogEntry.SslHandshakeFailure("UNKNOWN", + List.of( + new ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry("javax.net.ssl.SSLHandshakeException", "message"), + new ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry("java.io.IOException", "cause message")))) .build(); String expectedJson = "{" + "\"id\":\""+id.toString()+"\"," + "\"timestamp\":\"2021-01-13T12:12:12Z\"," + - "\"peerPort\":1234" + - "}"; + "\"peerPort\":1234," + + "\"ssl\":{\"handshake-failure\":{\"exception\":[" + + "{\"cause\":\"javax.net.ssl.SSLHandshakeException\",\"message\":\"message\"}," + + "{\"cause\":\"java.io.IOException\",\"message\":\"cause message\"}" + + "],\"type\":\"UNKNOWN\"}}}"; JsonConnectionLogWriter writer = new JsonConnectionLogWriter(); ByteArrayOutputStream out = new ByteArrayOutputStream(); diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java index 0a4990ff101..868053cc148 100644 --- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java +++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/HttpServerTest.java @@ -5,6 +5,7 @@ import com.google.inject.AbstractModule; import com.google.inject.Module; import com.yahoo.container.logging.ConnectionLog; import com.yahoo.container.logging.ConnectionLogEntry; +import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry; import com.yahoo.container.logging.RequestLog; import com.yahoo.container.logging.RequestLogEntry; import com.yahoo.jdisc.References; @@ -647,9 +648,8 @@ public class HttpServerTest { .add(MetricDefinitions.SSL_HANDSHAKE_FAILURE_MISSING_CLIENT_CERT, 1L, MetricConsumerMock.STATIC_CONTEXT); assertTrue(driver.close()); Assertions.assertThat(connectionLog.logEntries()).hasSize(1); - ConnectionLogEntry logEntry = connectionLog.logEntries().get(0); - Assertions.assertThat(logEntry.sslHandshakeFailureException()).hasValue(SSLHandshakeException.class.getName()); - Assertions.assertThat(logEntry.sslHandshakeFailureType()).hasValue(SslHandshakeFailure.MISSING_CLIENT_CERT.failureType()); + assertSslHandshakeFailurePresent( + connectionLog.logEntries().get(0), SSLHandshakeException.class, SslHandshakeFailure.MISSING_CLIENT_CERT.failureType()); } @Test @@ -667,14 +667,13 @@ public class HttpServerTest { .build(); assertHttpsRequestTriggersSslHandshakeException( - driver, clientCtx, "TLSv1.3", null, "Received fatal alert: protocol_version"); + driver, clientCtx, "TLSv1.1", null, "Received fatal alert: protocol_version"); verify(metricConsumer.mockitoMock()) .add(MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_PROTOCOLS, 1L, MetricConsumerMock.STATIC_CONTEXT); assertTrue(driver.close()); Assertions.assertThat(connectionLog.logEntries()).hasSize(1); - ConnectionLogEntry logEntry = connectionLog.logEntries().get(0); - Assertions.assertThat(logEntry.sslHandshakeFailureException()).hasValue(SSLHandshakeException.class.getName()); - Assertions.assertThat(logEntry.sslHandshakeFailureType()).hasValue(SslHandshakeFailure.INCOMPATIBLE_PROTOCOLS.failureType()); + assertSslHandshakeFailurePresent( + connectionLog.logEntries().get(0), SSLHandshakeException.class, SslHandshakeFailure.INCOMPATIBLE_PROTOCOLS.failureType()); } @Test @@ -697,9 +696,8 @@ public class HttpServerTest { .add(MetricDefinitions.SSL_HANDSHAKE_FAILURE_INCOMPATIBLE_CIPHERS, 1L, MetricConsumerMock.STATIC_CONTEXT); assertTrue(driver.close()); Assertions.assertThat(connectionLog.logEntries()).hasSize(1); - ConnectionLogEntry logEntry = connectionLog.logEntries().get(0); - Assertions.assertThat(logEntry.sslHandshakeFailureException()).hasValue(SSLHandshakeException.class.getName()); - Assertions.assertThat(logEntry.sslHandshakeFailureType()).hasValue(SslHandshakeFailure.INCOMPATIBLE_CIPHERS.failureType()); + assertSslHandshakeFailurePresent( + connectionLog.logEntries().get(0), SSLHandshakeException.class, SslHandshakeFailure.INCOMPATIBLE_CIPHERS.failureType()); } @Test @@ -727,8 +725,8 @@ public class HttpServerTest { assertTrue(driver.close()); Assertions.assertThat(connectionLog.logEntries()).hasSize(1); ConnectionLogEntry logEntry = connectionLog.logEntries().get(0); - Assertions.assertThat(logEntry.sslHandshakeFailureException()).hasValue(SSLHandshakeException.class.getName()); - Assertions.assertThat(logEntry.sslHandshakeFailureType()).hasValue(SslHandshakeFailure.INVALID_CLIENT_CERT.failureType()); + assertSslHandshakeFailurePresent( + connectionLog.logEntries().get(0), SSLHandshakeException.class, SslHandshakeFailure.INVALID_CLIENT_CERT.failureType()); } @Test @@ -848,7 +846,7 @@ public class HttpServerTest { Assertions.assertThat(logEntry.localPort()).hasValue(listenPort); Assertions.assertThat(logEntry.httpBytesReceived()).hasValueSatisfying(value -> Assertions.assertThat(value).isPositive()); Assertions.assertThat(logEntry.httpBytesSent()).hasValueSatisfying(value -> Assertions.assertThat(value).isPositive()); - Assertions.assertThat(logEntry.sslProtocol()).hasValue("TLSv1.2"); + Assertions.assertThat(logEntry.sslProtocol()).hasValue("TLSv1.3"); Assertions.assertThat(logEntry.sslPeerSubject()).hasValue("CN=localhost"); Assertions.assertThat(logEntry.sslCipherSuite()).hasValueSatisfying(cipher -> Assertions.assertThat(cipher).isNotBlank()); Assertions.assertThat(logEntry.sslSessionId()).hasValueSatisfying(sessionId -> Assertions.assertThat(sessionId).hasSize(64)); @@ -912,6 +910,15 @@ public class HttpServerTest { } } + private static void assertSslHandshakeFailurePresent( + ConnectionLogEntry entry, Class<? extends SSLHandshakeException> expectedException, String expectedType) { + Assertions.assertThat(entry.sslHandshakeFailure()).isPresent(); + ConnectionLogEntry.SslHandshakeFailure failure = entry.sslHandshakeFailure().get(); + assertEquals(expectedType, failure.type()); + ExceptionEntry exceptionEntry = failure.exceptionChain().get(0); + assertEquals(expectedException.getName(), exceptionEntry.name()); + } + private static TestDriver createSslWithProxyProtocolTestDriver( Path certificateFile, Path privateKeyFile, RequestLog requestLog, ConnectionLog connectionLog, boolean mixedMode) { diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java index 56d096347b3..91dbfccb203 100644 --- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java +++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java @@ -49,6 +49,7 @@ public class TlsCryptoSocket implements CryptoSocket { private AuthorizationResult authorizationResult; public TlsCryptoSocket(SocketChannel channel, SSLEngine sslEngine) { + disableTlsv13(sslEngine); this.channel = channel; this.sslEngine = sslEngine; SSLSession nullSession = sslEngine.getSession(); @@ -324,4 +325,12 @@ public class TlsCryptoSocket implements CryptoSocket { throw new SSLException("Handshake not completed: handshakeState=" + handshakeState); } + private static void disableTlsv13(SSLEngine sslEngine) { + String[] filteredProtocols = Arrays.stream(sslEngine.getEnabledProtocols()) + .filter(p -> !p.equals("TLSv1.3")) + .toArray(String[]::new); + if (filteredProtocols.length == 0) throw new IllegalArgumentException("JRT does not support TLSv1.3"); + sslEngine.setEnabledProtocols(filteredProtocols); + } + } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/os/RetiringUpgrader.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/os/RetiringUpgrader.java index 8615488b92f..8118556f4c1 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/os/RetiringUpgrader.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/os/RetiringUpgrader.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.provision.os; import com.yahoo.component.Version; import com.yahoo.config.provision.NodeType; +import com.yahoo.transaction.Mutex; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeList; import com.yahoo.vespa.hosted.provision.NodeMutex; @@ -37,7 +38,7 @@ public class RetiringUpgrader implements Upgrader { public void upgradeTo(OsVersionTarget target) { NodeList allNodes = nodeRepository.nodes().list(); NodeList activeNodes = allNodes.state(Node.State.active).nodeType(target.nodeType()); - if (activeNodes.size() == 0) return; // No nodes eligible for upgrade + if (activeNodes.isEmpty()) return; // No nodes eligible for upgrade Instant now = nodeRepository.clock().instant(); Duration nodeBudget = target.upgradeBudget() @@ -51,7 +52,7 @@ public class RetiringUpgrader implements Upgrader { .not().deprovisioning() .byIncreasingOsVersion() .first(1) - .forEach(node -> retire(node, target.version(), now, allNodes)); + .forEach(node -> deprovision(node, target.version(), now, allNodes)); } @Override @@ -60,11 +61,12 @@ public class RetiringUpgrader implements Upgrader { } /** Retire and deprovision given host and its children */ - private void retire(Node host, Version target, Instant now, NodeList allNodes) { + private void deprovision(Node host, Version target, Instant now, NodeList allNodes) { if (!host.type().isHost()) throw new IllegalArgumentException("Cannot retire non-host " + host); Optional<NodeMutex> nodeMutex = nodeRepository.nodes().lockAndGet(host); if (nodeMutex.isEmpty()) return; - try (var lock = nodeMutex.get()) { + // Take allocationLock to prevent any further allocation of nodes on this host + try (NodeMutex lock = nodeMutex.get(); Mutex allocationLock = nodeRepository.nodes().lockUnallocated()) { host = lock.node(); NodeType nodeType = host.type(); diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java index 886cf3e886b..a54a3556685 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsContext.java @@ -34,7 +34,7 @@ public interface TlsContext extends AutoCloseable { "TLS_AES_256_GCM_SHA384", // TLSv1.3 "TLS_CHACHA20_POLY1305_SHA256"); // TLSv1.3, Java 12 - Set<String> ALLOWED_PROTOCOLS = com.yahoo.vespa.jdk8compat.Set.of("TLSv1.2"); // TODO Enable TLSv1.3 + Set<String> ALLOWED_PROTOCOLS = com.yahoo.vespa.jdk8compat.Set.of("TLSv1.2", "TLSv1.3"); String SSL_CONTEXT_VERSION = "TLS"; // Use SSLContext implementations that supports all TLS versions /** diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java index 0f43fb45d9d..2b03e874d86 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java @@ -219,7 +219,7 @@ public class ConfiguratorTest { return "ssl.quorum.hostnameVerification=false\n" + "ssl.quorum.clientAuth=NEED\n" + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + - "ssl.quorum.enabledProtocols=TLSv1.2\n" + + "ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3\n" + "ssl.quorum.protocol=TLS\n"; } @@ -227,7 +227,7 @@ public class ConfiguratorTest { return "ssl.hostnameVerification=false\n" + "ssl.clientAuth=NEED\n" + "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n" + - "ssl.enabledProtocols=TLSv1.2\n" + + "ssl.enabledProtocols=TLSv1.2,TLSv1.3\n" + "ssl.protocol=TLS\n"; } |