From 130a6f945e84adddb531bb76a6693e3b01b46cd0 Mon Sep 17 00:00:00 2001 From: Harald Musum Date: Wed, 20 Nov 2019 16:29:37 +0100 Subject: Remove cipher suite not supported by Java --- .../com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java | 10 +++++++++- .../yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'zookeeper-server') diff --git a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java index ed8be3ad7f4..8b880ba6a97 100644 --- a/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java +++ b/zookeeper-server/zookeeper-server-3.5/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -25,6 +25,7 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.util.HashSet; import java.util.List; import java.util.Optional; import java.util.Set; @@ -122,7 +123,7 @@ public class VespaZooKeeperServerImpl extends AbstractComponent implements Runna // Common config sb.append("ssl.quorum.hostnameVerification=false\n"); sb.append("ssl.quorum.clientAuth=NEED\n"); - sb.append("ssl.quorum.ciphersuites=").append(String.join(",", new TreeSet<>(TlsContext.ALLOWED_CIPHER_SUITES))).append("\n"); + sb.append("ssl.quorum.ciphersuites=").append(String.join(",", getCipherSuites())).append("\n"); sb.append("ssl.quorum.enabledProtocols=").append(String.join(",", new TreeSet<>(TlsContext.ALLOWED_PROTOCOLS))).append("\n"); sb.append("ssl.quorum.protocol=TLS\n"); @@ -162,6 +163,13 @@ public class VespaZooKeeperServerImpl extends AbstractComponent implements Runna return sb.toString(); } + private TreeSet getCipherSuites() { + Set cipherSuites = new HashSet<>(TlsContext.ALLOWED_CIPHER_SUITES); + // Remove cipher suite not supported by Java + cipherSuites.remove("TLS_CHACHA20_POLY1305_SHA256"); + return new TreeSet<>(cipherSuites); + } + private void writeMyIdFile(ZookeeperServerConfig config) throws IOException { if (config.server().size() > 1) { try (FileWriter writer = new FileWriter(getDefaults().underVespaHome(config.myidFile()))) { diff --git a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java index 953a85aeaaf..1f995655fd1 100644 --- a/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java +++ b/zookeeper-server/zookeeper-server-3.5/src/test/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImplTest.java @@ -204,7 +204,7 @@ public class VespaZooKeeperServerImplTest { private String commonTlsConfig() { return "ssl.quorum.hostnameVerification=false\n" + "ssl.quorum.clientAuth=NEED\n" + - "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + "ssl.quorum.enabledProtocols=TLSv1.2\n" + "ssl.quorum.protocol=TLS\n"; } -- cgit v1.2.3