This is an automated email from the ASF dual-hosted git repository.
lcwik pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new 0e9fe07ea38 Add static override for JDK TLS disabled/legacy algorithms
in Java container (#24619)
0e9fe07ea38 is described below
commit 0e9fe07ea3802a1ca4e894029e04bdab51358330
Author: Charles Rothrock <[email protected]>
AuthorDate: Thu Jan 5 18:06:21 2023 -0500
Add static override for JDK TLS disabled/legacy algorithms in Java
container (#24619)
* Adding jdk.tls security property options to java containers
* Update CHANGES.md
remove whitespace line endings
* Fix invalid copy task configuration
* Adding license to TLS properties files
* Added bugfix description and link to CHANGES.md for #24623
* Renaming to match global implications for security properties override as
TLS configs are not the only properties that can be changed
* Add license
* Add license
* Adding TLS-enabled check to SdkHarnessEnvironment tests
* Update sdks/java/container/java11/option-java11-security.json
Co-authored-by: Kiley Sok <[email protected]>
* Adjusting version fallback specification for Java
* Making suggested fixes
* Fixing indentation
* Adding SSLContext check to TLS availability test
* Making suggested improvements to test
* Removing exception imports no longer needed
* Remove whitespace and erroneous context null initialization
* Fix typo
* Update
sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java
Co-authored-by: Lukasz Cwik <[email protected]>
* Fix spotless java precommit formatting error
Co-authored-by: Kiley Sok <[email protected]>
Co-authored-by: Lukasz Cwik <[email protected]>
---
CHANGES.md | 4 ++
sdks/java/container/common.gradle | 6 ++-
.../container/java11/java11-security.properties | 47 ++++++++++++++++++++++
.../container/java11/option-java11-security.json | 9 +++++
.../container/java17/java17-security.properties | 47 ++++++++++++++++++++++
.../container/java17/option-java17-security.json | 9 +++++
.../java/container/java8/java8-security.properties | 47 ++++++++++++++++++++++
.../container/java8/option-java8-security.json | 9 +++++
.../apache/beam/sdk/SdkHarnessEnvironmentTest.java | 44 ++++++++++++++++++++
9 files changed, 220 insertions(+), 2 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 74217cccaf0..18b7ed989fb 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -65,6 +65,9 @@
* RunInference Wrapper with Sklearn Model Handler support added in Go SDK
([#24497](https://github.com/apache/beam/issues/23382)).
* X feature added (Java/Python)
([#X](https://github.com/apache/beam/issues/X)).
+* Adding override of allowed TLS algorithms (Java), now maintaining the
disabled/legacy algorithms
+ present in 2.43.0 (up to 1.8.0_342, 11.0.16, 17.0.2 for respective Java
versions). This is accompanied
+ by an explicit re-enabling of TLSv1 and TLSv1.1 for Java 8 and Java 11.
## Breaking Changes
@@ -81,6 +84,7 @@
## Bugfixes
* Avoids Cassandra syntax error when user-defined query has no where clause in
it (Java) ([#24829](https://github.com/apache/beam/issues/24829)).
+* Fixed JDBC connection failures (Java) during handshake due to deprecated
TLSv1(.1) protocol for the JDK.
([#24623](https://github.com/apache/beam/issues/24623))
## Known Issues
diff --git a/sdks/java/container/common.gradle
b/sdks/java/container/common.gradle
index 265d14fbe9c..4886cd271d6 100644
--- a/sdks/java/container/common.gradle
+++ b/sdks/java/container/common.gradle
@@ -80,8 +80,10 @@ task copyGolangLicenses(type: Copy) {
task copyJdkOptions(type: Copy) {
if (imageJavaVersion == "17" || imageJavaVersion == "11") {
from "option-jamm.json"
- into "build/target/options"
}
+ from "java${imageJavaVersion}-security.properties"
+ from "option-java${imageJavaVersion}-security.json"
+ into "build/target/options"
}
task skipPullLicenses(type: Exec) {
@@ -129,4 +131,4 @@ dockerPrepare.dependsOn copySdkHarnessLauncher
dockerPrepare.dependsOn copyDockerfileDependencies
dockerPrepare.dependsOn ":sdks:java:container:downloadCloudProfilerAgent"
dockerPrepare.dependsOn copyJdkOptions
-dockerPrepare.dependsOn validateJavaHome
\ No newline at end of file
+dockerPrepare.dependsOn validateJavaHome
diff --git a/sdks/java/container/java11/java11-security.properties
b/sdks/java/container/java11/java11-security.properties
new file mode 100644
index 00000000000..caf64592c40
--- /dev/null
+++ b/sdks/java/container/java11/java11-security.properties
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Java 11 java.security properties file override for JVM
+# base properties derived from:
+# openjdk version "11.0.16" 2022-07-19
+# OpenJDK Runtime Environment 18.9 (build 11.0.16+8)
+# OpenJDK 64-Bit Server VM 18.9 (build 11.0.16+8, mixed mode, sharing)
+
+# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
+# legacy algorithms list to allow it to be used if something better is not
+# available (e.g. TLSv1.2). This will prevent breakages for existing users
+# (for example JDBC with MySQL). See
+# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
+# for additional details.
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
+ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+ include jdk.disabled.namedCurves
+
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
+ 3DES_EDE_CBC, TLSv1, TLSv1.1
+
+# /dev/random blocks in virtualized environments due to lack of
+# good entropy sources, which makes SecureRandom use impractical.
+# In particular, that affects the performance of HTTPS that relies
+# on SecureRandom.
+#
+# Due to that, /dev/urandom is used as the default.
+#
+# See http://www.2uo.de/myths-about-urandom/ for some background
+# on security of /dev/urandom on Linux.
+securerandom.source=file:/dev/./urandom
\ No newline at end of file
diff --git a/sdks/java/container/java11/option-java11-security.json
b/sdks/java/container/java11/option-java11-security.json
new file mode 100644
index 00000000000..a8ad9672a3f
--- /dev/null
+++ b/sdks/java/container/java11/option-java11-security.json
@@ -0,0 +1,9 @@
+{
+ "name": "java-security",
+ "enabled": true,
+ "options": {
+ "properties": {
+ "java.security.properties":
"/opt/apache/beam/options/java11-security.properties"
+ }
+ }
+}
diff --git a/sdks/java/container/java17/java17-security.properties
b/sdks/java/container/java17/java17-security.properties
new file mode 100644
index 00000000000..ec2a5c039cb
--- /dev/null
+++ b/sdks/java/container/java17/java17-security.properties
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Java 17 java.security properties file override for JVM
+# base properties derived from:
+# openjdk version "17.0.2" 2022-01-18
+# OpenJDK Runtime Environment (build 17.0.2+8-86)
+# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)
+
+# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
+# legacy algorithms list to allow it to be used if something better is not
+# available (e.g. TLSv1.2). This will prevent breakages for existing users
+# (for example JDBC with MySQL). See
+# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
+# for additional details.
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
+ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+
+# The raw value from 17.0.2 for legacyAlgorithms is
+# NULL, anon, RC4, DES, 3DES_EDE_CBC
+# Because these values are in disabledAlgorithms, it is erroneous to include
+# them in legacy (they are disabled in Java 8 and Java 11 as well). Here we
+# only include TLSv1 and TLSv1.1 which were removed from disabledAlgorithms
+jdk.tls.legacyAlgorithms=TLSv1, TLSv1.1
+
+# /dev/random blocks in virtualized environments due to lack of
+# good entropy sources, which makes SecureRandom use impractical.
+# In particular, that affects the performance of HTTPS that relies
+# on SecureRandom.
+#
+# Due to that, /dev/urandom is used as the default.
+#
+# See http://www.2uo.de/myths-about-urandom/ for some background
+# on security of /dev/urandom on Linux.
+securerandom.source=file:/dev/./urandom
\ No newline at end of file
diff --git a/sdks/java/container/java17/option-java17-security.json
b/sdks/java/container/java17/option-java17-security.json
new file mode 100644
index 00000000000..979d4be90d1
--- /dev/null
+++ b/sdks/java/container/java17/option-java17-security.json
@@ -0,0 +1,9 @@
+{
+ "name": "java-security",
+ "enabled": true,
+ "options": {
+ "properties": {
+ "java.security.properties":
"/opt/apache/beam/options/java17-security.properties"
+ }
+ }
+}
diff --git a/sdks/java/container/java8/java8-security.properties
b/sdks/java/container/java8/java8-security.properties
new file mode 100644
index 00000000000..f637d3ef756
--- /dev/null
+++ b/sdks/java/container/java8/java8-security.properties
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Java 8 java.security properties file override for JVM
+# base properties derived from:
+# openjdk version "1.8.0_342"
+# OpenJDK Runtime Environment (build 1.8.0_342-b07)
+# OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode)
+
+# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
+# legacy algorithms list to allow it to be used if something better is not
+# available (e.g. TLSv1.2). This will prevent breakages for existing users
+# (for example JDBC with MySQL). See
+# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
+# for additional details.
+jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
+ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+ include jdk.disabled.namedCurves
+
+jdk.tls.legacyAlgorithms= \
+ K_NULL, C_NULL, M_NULL, \
+ DH_anon, ECDH_anon, \
+ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
+ 3DES_EDE_CBC, TLSv1, TLSv1.1
+
+# /dev/random blocks in virtualized environments due to lack of
+# good entropy sources, which makes SecureRandom use impractical.
+# In particular, that affects the performance of HTTPS that relies
+# on SecureRandom.
+#
+# Due to that, /dev/urandom is used as the default.
+#
+# See http://www.2uo.de/myths-about-urandom/ for some background
+# on security of /dev/urandom on Linux.
+securerandom.source=file:/dev/./urandom
\ No newline at end of file
diff --git a/sdks/java/container/java8/option-java8-security.json
b/sdks/java/container/java8/option-java8-security.json
new file mode 100644
index 00000000000..47f2938bf7c
--- /dev/null
+++ b/sdks/java/container/java8/option-java8-security.json
@@ -0,0 +1,9 @@
+{
+ "name": "java-security",
+ "enabled": true,
+ "options": {
+ "properties": {
+ "java.security.properties":
"/opt/apache/beam/options/java8-security.properties"
+ }
+ }
+}
diff --git
a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java
b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java
index dd2d469fd4b..2c61e8a6204 100644
---
a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java
+++
b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java
@@ -19,7 +19,12 @@ package org.apache.beam.sdk;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.hasItemInArray;
+import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.assertNotNull;
+import java.security.Security;
+import javax.net.ssl.SSLContext;
import org.apache.beam.sdk.coders.StringUtf8Coder;
import org.apache.beam.sdk.testing.PAssert;
import org.apache.beam.sdk.testing.TestPipeline;
@@ -66,4 +71,43 @@ public class SdkHarnessEnvironmentTest {
PAssert.that(output).containsInAnyOrder("measured");
p.run().waitUntilFinish();
}
+
+ /** {@link DoFn} used to validate that TLS was enabled as part of java
security properties. */
+ private static class TLSDoFn extends DoFn<String, String> {
+ @ProcessElement
+ public void processElement(ProcessContext c) throws Exception {
+ String[] disabledAlgorithms =
+
Security.getProperty("jdk.tls.disabledAlgorithms").trim().split("\\s*,\\s*");
+ String[] legacyAlgorithms =
+
Security.getProperty("jdk.tls.legacyAlgorithms").trim().split("\\s*,\\s*");
+ assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1")));
+ assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1.1")));
+ assertThat(legacyAlgorithms, hasItemInArray("TLSv1"));
+ assertThat(legacyAlgorithms, hasItemInArray("TLSv1.1"));
+
+ // getDefaultSSLParameters() shows all protocols that JSSE implements
that are allowed.
+ // getSupportedSSLParameters() shows all protocols that JSSE implements
including those that
+ // are disabled.
+ SSLContext context = SSLContext.getInstance("TLS");
+ context.init(null, null, null);
+ assertNotNull(context);
+ String[] defaultProtocols =
context.getDefaultSSLParameters().getProtocols();
+ assertThat(defaultProtocols, hasItemInArray("TLSv1"));
+ assertThat(defaultProtocols, hasItemInArray("TLSv1.1"));
+
+ c.output("TLSv1-TLSv1.1 enabled");
+ }
+ }
+
+ @Test
+ @Category({ValidatesRunner.class, UsesSdkHarnessEnvironment.class})
+ public void testTlsAvailable() throws Exception {
+ PCollection<String> input =
p.apply(Create.of("TLS").withCoder(StringUtf8Coder.of()));
+
+ PCollection<String> output = input.apply(ParDo.of(new TLSDoFn()));
+
+ PAssert.that(output).containsInAnyOrder("TLSv1-TLSv1.1 enabled");
+
+ p.run().waitUntilFinish();
+ }
}
