This is an automated email from the ASF dual-hosted git repository.
dcapwell pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/trunk by this push:
new 1b04702 SSLFactory should initialize SSLContext before setting
protocols
1b04702 is described below
commit 1b04702f351861e6fef8cf64fd26f65ec90e4c70
Author: Jon Meredith <[email protected]>
AuthorDate: Fri Jan 29 11:40:25 2021 -0800
SSLFactory should initialize SSLContext before setting protocols
patch by Jon Meredith; reviewed by David Capwell, Dinesh Joshi for
CASSANDRA-16362
---
.../org/apache/cassandra/security/SSLFactory.java | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java
b/src/java/org/apache/cassandra/security/SSLFactory.java
index 2f7ea75..22f0a9d 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -34,6 +34,7 @@ import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
@@ -171,7 +172,7 @@ public final class SSLFactory
{
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, null, null);
- SSLParameters params = ctx.getSupportedSSLParameters();
+ SSLParameters params = ctx.getDefaultSSLParameters();
String[] protocols = params.getProtocols();
return Arrays.asList(protocols);
}
@@ -479,6 +480,11 @@ public final class SSLFactory
}
}
+ private static boolean filterOutSSLv2Hello(String string)
+ {
+ return !string.equals("SSLv2Hello");
+ }
+
public static void validateSslContext(String contextDescription,
EncryptionOptions options, boolean buildTrustStore, boolean
logProtocolAndCiphers) throws IOException
{
if (options != null && options.tlsEncryptionPolicy() !=
EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED)
@@ -497,13 +503,22 @@ public final class SSLFactory
{
String[] supportedProtocols =
engine.getSupportedProtocols();
String[] supportedCiphers =
engine.getSupportedCipherSuites();
+ // Netty always adds the SSLv2Hello
pseudo-protocol. (Netty commit 7a39afd031accea9ee38653afbd58eb1c466deda)
+ // To avoid triggering any log scanners that are
concerned about SSL2 references, filter
+ // it from the output.
String[] enabledProtocols =
engine.getEnabledProtocols();
+ String filteredEnabledProtocols =
+ supportedProtocols == null ? "system default"
+ :
Arrays.stream(engine.getEnabledProtocols())
+
.filter(SSLFactory::filterOutSSLv2Hello)
+
.collect(Collectors.joining(", "));
String[] enabledCiphers =
engine.getEnabledCipherSuites();
logger.debug("{} supported TLS protocols: {}",
contextDescription,
supportedProtocols == null ? "system
default" : String.join(", ", supportedProtocols));
- logger.info("{} enabled TLS protocols: {}",
contextDescription,
+ logger.debug("{} unfiltered enabled TLS protocols:
{}", contextDescription,
enabledProtocols == null ? "system
default" : String.join(", ", enabledProtocols));
+ logger.info("{} enabled TLS protocols: {}",
contextDescription, filteredEnabledProtocols);
logger.debug("{} supported cipher suites: {}",
contextDescription,
supportedCiphers == null ? "system
default" : String.join(", ", supportedCiphers));
logger.info("{} enabled cipher suites: {}",
contextDescription,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
