This is an automated email from the ASF dual-hosted git repository.
stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/master by this push:
new a47d3ea156e HBASE-29403 Remove default TLS cipher overrides (#7112)
a47d3ea156e is described below
commit a47d3ea156eeb4ee34598e34316d768a04eee6b2
Author: Istvan Toth <[email protected]>
AuthorDate: Thu Jun 19 06:48:52 2025 +0200
HBASE-29403 Remove default TLS cipher overrides (#7112)
---
.../hadoop/hbase/io/crypto/tls/X509Util.java | 105 +++------------------
.../hadoop/hbase/io/crypto/tls/TestX509Util.java | 43 ---------
2 files changed, 12 insertions(+), 136 deletions(-)
diff --git
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
index 37f6222844f..a233050994f 100644
---
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
+++
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -26,11 +26,8 @@ import java.security.Security;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.time.Duration;
-import java.util.ArrayList;
import java.util.Arrays;
-import java.util.List;
import java.util.Objects;
-import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
@@ -50,7 +47,6 @@ import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.hbase.thirdparty.com.google.common.collect.ObjectArrays;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.OpenSsl;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder;
@@ -123,61 +119,11 @@ public final class X509Util {
"hbase.client.netty.tls.handshaketimeout";
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
- private static String[] getTls13Ciphers() {
- return new String[] { "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" };
- }
-
- private static String[] getGCMCiphers() {
- return new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" };
- }
-
- private static String[] getCBCCiphers() {
- return new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" };
- }
-
- // On Java 8, prefer CBC ciphers since AES-NI support is lacking and GCM is
slower than CBC.
- private static final String[] DEFAULT_CIPHERS_JAVA8 =
- ObjectArrays.concat(getCBCCiphers(), getGCMCiphers(), String.class);
- // On Java 9 and later, prefer GCM ciphers due to improved AES-NI support.
- // Note that this performance assumption might not hold true for
architectures other than x86_64.
- private static final String[] DEFAULT_CIPHERS_JAVA9 =
- ObjectArrays.concat(getGCMCiphers(), getCBCCiphers(), String.class);
- private static final String[] DEFAULT_CIPHERS_JAVA11 =
- ObjectArrays.concat(ObjectArrays.concat(getTls13Ciphers(),
getGCMCiphers(), String.class),
- getCBCCiphers(), String.class);
-
- private static final String[] DEFAULT_CIPHERS_OPENSSL =
getOpenSslFilteredDefaultCiphers();
-
public static final String HBASE_TLS_FILEPOLL_INTERVAL_MILLIS =
CONFIG_PREFIX + "filepoll.interval.millis";
// 1 minute
private static final long DEFAULT_FILE_POLL_INTERVAL =
Duration.ofSeconds(60).toMillis();
- /**
- * Not all of our default ciphers are available in OpenSSL. Takes our
default cipher lists and
- * filters them to only those available in OpenSsl. Prefers TLS 1.3, then
GCM, then CBC because
- * GCM tends to be better and faster, and we don't need to worry about the
java8 vs 9 performance
- * issue if OpenSSL is handling it.
- */
- private static String[] getOpenSslFilteredDefaultCiphers() {
- if (!OpenSsl.isAvailable()) {
- return new String[0];
- }
-
- Set<String> openSslSuites = OpenSsl.availableJavaCipherSuites();
- List<String> defaultSuites = new ArrayList<>();
-
Arrays.stream(getTls13Ciphers()).filter(openSslSuites::contains).forEach(defaultSuites::add);
-
Arrays.stream(getGCMCiphers()).filter(openSslSuites::contains).forEach(defaultSuites::add);
-
Arrays.stream(getCBCCiphers()).filter(openSslSuites::contains).forEach(defaultSuites::add);
- return defaultSuites.toArray(new String[0]);
- }
-
/**
* Enum specifying the client auth requirement of server-side TLS sockets
created by this
* X509Util.
@@ -223,45 +169,12 @@ public final class X509Util {
// disabled
}
- static String[] getDefaultCipherSuites(boolean useOpenSsl) {
- if (useOpenSsl) {
- return DEFAULT_CIPHERS_OPENSSL;
- }
- return
getDefaultCipherSuitesForJavaVersion(System.getProperty("java.specification.version"));
- }
-
- static String[] getDefaultCipherSuitesForJavaVersion(String javaVersion) {
- Objects.requireNonNull(javaVersion);
-
- if (javaVersion.matches("\\d+")) {
- // Must be Java 9 or later
- int javaVersionInt = Integer.parseInt(javaVersion);
- if (javaVersionInt >= 11) {
- LOG.debug(
- "Using Java11+ optimized cipher suites for Java version {},
including TLSv1.3 support",
- javaVersion);
- return DEFAULT_CIPHERS_JAVA11;
- } else {
- LOG.debug("Using Java9+ optimized cipher suites for Java version {}",
javaVersion);
- return DEFAULT_CIPHERS_JAVA9;
- }
- } else if (javaVersion.startsWith("1.")) {
- // Must be Java 1.8 or earlier
- LOG.debug("Using Java8 optimized cipher suites for Java version {}",
javaVersion);
- return DEFAULT_CIPHERS_JAVA8;
- } else {
- LOG.debug("Could not parse java version {}, using Java8 optimized cipher
suites",
- javaVersion);
- return DEFAULT_CIPHERS_JAVA8;
- }
- }
-
public static SslContext createSslContextForClient(Configuration config)
throws X509Exception, IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
- boolean useOpenSsl = configureOpenSslIfAvailable(sslContextBuilder,
config);
+ configureOpenSslIfAvailable(sslContextBuilder, config);
String keyStoreLocation = config.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
char[] keyStorePassword = config.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
String keyStoreType = config.get(TLS_CONFIG_KEYSTORE_TYPE, "");
@@ -294,7 +207,10 @@ public final class X509Util {
sslContextBuilder.enableOcsp(sslOcspEnabled);
sslContextBuilder.protocols(getEnabledProtocols(config));
- sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(config,
useOpenSsl)));
+ String[] cipherSuites = getCipherSuites(config);
+ if (cipherSuites != null) {
+ sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
+ }
return sslContextBuilder.build();
}
@@ -337,7 +253,7 @@ public final class X509Util {
sslContextBuilder = SslContextBuilder
.forServer(createKeyManager(keyStoreLocation, keyStorePassword,
keyStoreType));
- boolean useOpenSsl = configureOpenSslIfAvailable(sslContextBuilder,
config);
+ configureOpenSslIfAvailable(sslContextBuilder, config);
String trustStoreLocation = config.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
char[] trustStorePassword =
config.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
String trustStoreType = config.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
@@ -361,7 +277,10 @@ public final class X509Util {
sslContextBuilder.enableOcsp(sslOcspEnabled);
sslContextBuilder.protocols(getEnabledProtocols(config));
- sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(config,
useOpenSsl)));
+ String[] cipherSuites = getCipherSuites(config);
+ if (cipherSuites != null) {
+ sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
+ }
sslContextBuilder.clientAuth(clientAuth.toNettyClientAuth());
return sslContextBuilder.build();
@@ -477,10 +396,10 @@ public final class X509Util {
return enabledProtocolsInput.split(",");
}
- private static String[] getCipherSuites(Configuration config, boolean
useOpenSsl) {
+ private static String[] getCipherSuites(Configuration config) {
String cipherSuitesInput = config.get(TLS_CIPHER_SUITES);
if (cipherSuitesInput == null) {
- return getDefaultCipherSuites(useOpenSsl);
+ return null;
} else {
return cipherSuitesInput.split(",");
}
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
index dd43f8be5cb..7f8d7c82b89 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
@@ -17,8 +17,6 @@
*/
package org.apache.hadoop.hbase.io.crypto.tls;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
@@ -368,45 +366,4 @@ public class TestX509Util extends
AbstractTestX509Parameterized {
});
}
- @Test
- public void testGetDefaultCipherSuitesJava8() {
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("1.8");
- // Java 8 default should have the CBC suites first
- assertThat(cipherSuites[0], containsString("CBC"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesJava9() {
- String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("9");
- // Java 9+ default should have the GCM suites first
- assertEquals(cipherSuites[0], "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
- }
-
- @Test
- public void testGetDefaultCipherSuitesJava10() {
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("10");
- // Java 9+ default should have the GCM suites first
- assertEquals(cipherSuites[0], "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
- }
-
- @Test
- public void testGetDefaultCipherSuitesJava11() {
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("11");
- // Java 11+ default should have the TLSv1.3 suites first
- assertThat(cipherSuites[0], containsString("TLS_AES_128_GCM"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesUnknownVersion() {
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("notaversion");
- // If version can't be parsed, use the more conservative Java 8 default
- assertThat(cipherSuites[0], containsString("CBC"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesNullVersion() {
- assertThrows(NullPointerException.class, () -> {
- X509Util.getDefaultCipherSuitesForJavaVersion(null);
- });
- }
}
