This is an automated email from the ASF dual-hosted git repository.
ilyak pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push:
new 8e69ae7 IGNITE-11298 Fixes to support TLSv1.3 in Communication -
Fixes #6442.
8e69ae7 is described below
commit 8e69ae7648f50aeab7884ae58624be0a632cdd31
Author: Vitaliy Biryukov <[email protected]>
AuthorDate: Thu May 30 15:49:23 2019 +0300
IGNITE-11298 Fixes to support TLSv1.3 in Communication - Fixes #6442.
Signed-off-by: Ilya Kasnacheev <[email protected]>
---
examples/README.md | 5 ++--
.../jdbc/thin/JdbcThinConnectionSSLTest.java | 10 ++++----
.../apache/ignite/internal/util/IgniteUtils.java | 27 ++++++++++++++++++++
.../internal/util/nio/ssl/BlockingSslHandler.java | 29 ++++++++++++++++++++++
.../internal/util/nio/ssl/GridNioSslHandler.java | 4 +--
.../apache/ignite/client/SslParametersTest.java | 2 +-
modules/dev-utils/ignite-modules-test/build.gradle | 5 ++--
7 files changed, 68 insertions(+), 14 deletions(-)
diff --git a/examples/README.md b/examples/README.md
index 1855953..88de890 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -16,8 +16,7 @@ To set up local IDE to easier access to examples, it is
possible to add followin
--add-exports=java.management/com.sun.jmx.mbeanserver=ALL-UNNAMED
--add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED
--add-exports=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED
- --illegal-access=permit
- -Djdk.tls.client.protocols=TLSv1.2``
+ --illegal-access=permit``
For example, for IntelliJ IDEA it is possible to use Application Templates.
@@ -31,4 +30,4 @@ please make sure that corresponding changes were applied to
* [pom-standalone.xml](pom-standalone.xml),
* [pom-standalone-lgpl.xml](pom-standalone-lgpl.xml).
- These pom files are finalized during release and placed to examples folder
with these examples code.
\ No newline at end of file
+ These pom files are finalized during release and placed to examples folder
with these examples code.
diff --git
a/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java
b/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java
index 0af26b7..644b56d 100644
---
a/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java
+++
b/modules/clients/src/test/java/org/apache/ignite/jdbc/thin/JdbcThinConnectionSSLTest.java
@@ -343,7 +343,7 @@ public class JdbcThinConnectionSSLTest extends
JdbcThinAbstractSelfTest {
return null;
}
- }, SQLException.class, "Failed to SSL connect to server");
+ }, SQLException.class, "connect to");
}
finally {
stopAllGrids();
@@ -364,7 +364,7 @@ public class JdbcThinConnectionSSLTest extends
JdbcThinAbstractSelfTest {
GridTestUtils.assertThrows(log, new Callable<Object>() {
@Override public Object call() throws Exception {
Connection c =
DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
- "&sslProtocol=TLSv1.3" +
+ "&sslProtocol=TLSv1.13" +
"&sslClientCertificateKeyStoreUrl=" +
CLI_KEY_STORE_PATH +
"&sslClientCertificateKeyStorePassword=123456" +
"&sslTrustCertificateKeyStoreUrl=" +
TRUST_KEY_STORE_PATH +
@@ -372,7 +372,7 @@ public class JdbcThinConnectionSSLTest extends
JdbcThinAbstractSelfTest {
return null;
}
- }, SQLException.class, "TLSv1.3 is not a valid SSL protocol");
+ }, SQLException.class, "TLSv1.13 is not a valid SSL protocol");
}
finally {
stopAllGrids();
@@ -422,7 +422,7 @@ public class JdbcThinConnectionSSLTest extends
JdbcThinAbstractSelfTest {
GridTestUtils.assertThrows(log, new Callable<Object>() {
@Override public Object call() throws Exception {
Connection c =
DriverManager.getConnection("jdbc:ignite:thin://127.0.0.1/?sslMode=require" +
- "&sslClientCertificateKeyStoreType=PKCS12" +
+ "&sslClientCertificateKeyStoreType=INVALID_TYPE" +
"&sslClientCertificateKeyStoreUrl=" +
CLI_KEY_STORE_PATH +
"&sslClientCertificateKeyStorePassword=123456" +
"&sslTrustCertificateKeyStoreUrl=" +
TRUST_KEY_STORE_PATH +
@@ -430,7 +430,7 @@ public class JdbcThinConnectionSSLTest extends
JdbcThinAbstractSelfTest {
return null;
}
- }, SQLException.class, "Could not open client key store");
+ }, SQLException.class, "Could not create client KeyStore");
}
finally {
stopAllGrids();
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java
b/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java
index 5d9d8da..223b87e 100755
---
a/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java
@@ -64,6 +64,7 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
+import java.net.Socket;
import java.net.SocketException;
import java.net.URI;
import java.net.URISyntaxException;
@@ -4254,6 +4255,32 @@ public abstract class IgniteUtils {
}
/**
+ * Quietly closes given {@link Socket} ignoring possible checked exception.
+ *
+ * @param sock Socket to close. If it's {@code null} - it's no-op.
+ */
+ public static void closeQuiet(@Nullable Socket sock) {
+ if (sock == null)
+ return;
+
+ try {
+ // Avoid java 12 bug see
https://bugs.openjdk.java.net/browse/JDK-8219658
+ sock.shutdownOutput();
+ sock.shutdownInput();
+ }
+ catch (Exception ignored) {
+ // No-op.
+ }
+
+ try {
+ sock.close();
+ }
+ catch (Exception ignored) {
+ // No-op.
+ }
+ }
+
+ /**
* Quietly releases file lock ignoring all possible exceptions.
*
* @param lock File lock. If it's {@code null} - it's no-op.
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/BlockingSslHandler.java
b/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/BlockingSslHandler.java
index ff1e2be..40ded3c 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/BlockingSslHandler.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/BlockingSslHandler.java
@@ -335,6 +335,8 @@ public class BlockingSslHandler {
SSLEngineResult res = unwrap0();
+ res = postHandshakeIfNeded(res);
+
// prepare to be written again
inNetBuf.compact();
@@ -344,6 +346,33 @@ public class BlockingSslHandler {
}
/**
+ * Does post-handshake logic described <a
href="https://tools.ietf.org/html/rfc8446#section-4.6";>here</a> if nedded.
+ *
+ * @param res Response.
+ */
+ private SSLEngineResult postHandshakeIfNeded(SSLEngineResult res) throws
SSLException, IgniteCheckedException {
+ while (res.getHandshakeStatus() == FINISHED && res.getStatus() == OK) {
+ if (!inNetBuf.hasRemaining()) {
+ inNetBuf.clear();
+
+ readFromNet();
+
+ inNetBuf.flip();
+ }
+
+ res = unwrap0();
+
+ handshakeStatus = res.getHandshakeStatus();
+
+ if (log.isDebugEnabled())
+ log.debug("Unrapped post-handshake data [status=" +
res.getStatus() + ", handshakeStatus=" +
+ handshakeStatus + ']');
+ }
+
+ return res;
+ }
+
+ /**
* Runs all tasks needed to continue SSL work.
*
* @return Handshake status after running all tasks.
diff --git
a/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/GridNioSslHandler.java
b/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/GridNioSslHandler.java
index 8d28de2..c6471cb 100644
---
a/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/GridNioSslHandler.java
+++
b/modules/core/src/main/java/org/apache/ignite/internal/util/nio/ssl/GridNioSslHandler.java
@@ -604,7 +604,7 @@ class GridNioSslHandler extends ReentrantLock {
appBuf = expandBuffer(appBuf, appBuf.capacity() * 2);
}
while ((res.getStatus() == Status.OK || res.getStatus() ==
Status.BUFFER_OVERFLOW) &&
- (handshakeFinished && res.getHandshakeStatus() == NOT_HANDSHAKING
|| res.getHandshakeStatus() == NEED_UNWRAP));
+ (handshakeFinished || res.getHandshakeStatus() == NEED_UNWRAP));
return res;
}
@@ -711,4 +711,4 @@ class GridNioSslHandler extends ReentrantLock {
return buf;
}
}
-}
\ No newline at end of file
+}
diff --git
a/modules/core/src/test/java/org/apache/ignite/client/SslParametersTest.java
b/modules/core/src/test/java/org/apache/ignite/client/SslParametersTest.java
index ed7e441..0f0791b 100644
--- a/modules/core/src/test/java/org/apache/ignite/client/SslParametersTest.java
+++ b/modules/core/src/test/java/org/apache/ignite/client/SslParametersTest.java
@@ -177,7 +177,7 @@ public class SslParametersTest extends
GridCommonAbstractTest {
},
null,
IllegalArgumentException.class,
- "Unsupported ciphersuite"
+ "TLC_FAKE_CIPHER"
);
}
diff --git a/modules/dev-utils/ignite-modules-test/build.gradle
b/modules/dev-utils/ignite-modules-test/build.gradle
index 92ba917..d8bd1c1 100644
--- a/modules/dev-utils/ignite-modules-test/build.gradle
+++ b/modules/dev-utils/ignite-modules-test/build.gradle
@@ -129,11 +129,10 @@ test {
"--add-exports=java.management/com.sun.jmx.mbeanserver=ALL-UNNAMED",
"--add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED",
"--add-exports=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED",
- "--illegal-access=permit",
- "-Djdk.tls.client.protocols=TLSv1.2");
+ "--illegal-access=permit");
}
tasks.withType(Test) {
scanForTestClasses = false
include "**/*Test.class" // whatever Ant pattern matches your test class
files
-}
\ No newline at end of file
+}
