This is an automated email from the ASF dual-hosted git repository.
amashenkov pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ignite-3.git
The following commit(s) were added to refs/heads/main by this push:
new 3ee2f6c809 IGNITE-19037 Improve SSL ciphers validation (#1792)
3ee2f6c809 is described below
commit 3ee2f6c80931116fa3b6964e69fb43a9832590df
Author: Vadim Pakhnushev <[email protected]>
AuthorDate: Thu Mar 16 14:32:06 2023 +0300
IGNITE-19037 Improve SSL ciphers validation (#1792)
---
.../configuration/SslConfigurationValidatorImpl.java | 11 ++++++++---
.../configuration/SslConfigurationValidatorImplTest.java | 13 ++++++++++---
2 files changed, 18 insertions(+), 6 deletions(-)
diff --git
a/modules/network/src/main/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.java
b/modules/network/src/main/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.java
index ab08f9d659..1dad0cf8a9 100644
---
a/modules/network/src/main/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.java
+++
b/modules/network/src/main/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.java
@@ -99,9 +99,14 @@ public class SslConfigurationValidatorImpl implements
Validator<SslConfiguration
Set<String> ciphers = Arrays.stream(ssl.ciphers().split(","))
.map(String::strip)
.collect(Collectors.toSet());
- if (!supported.containsAll(ciphers)) {
- ciphers.removeAll(supported);
- ctx.addIssue(new ValidationIssue(ctx.currentKey(), "There are
unsupported cipher suites: " + ciphers));
+
+ // If removeAll returns true, it means that there were at least
some supported ciphers.
+ boolean haveSupported = ciphers.removeAll(supported);
+ if (!ciphers.isEmpty()) {
+ if (!haveSupported) {
+ ctx.addIssue(new ValidationIssue(ctx.currentKey(), "None
of the configured cipher suites are supported: " + ciphers));
+ }
+ LOG.info("Some of the configured cipher suites are
unsupported: {}", ciphers);
}
} catch (SSLException e) {
ctx.addIssue(new ValidationIssue(ctx.currentKey(), "Can't create
SSL engine"));
diff --git
a/modules/network/src/test/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImplTest.java
b/modules/network/src/test/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImplTest.java
index c2bc2e90da..4ee4b2dd6c 100644
---
a/modules/network/src/test/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImplTest.java
+++
b/modules/network/src/test/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImplTest.java
@@ -57,14 +57,21 @@ class SslConfigurationValidatorImplTest {
}
@Test
- public void incorrectCipherName(@WorkDirectory Path workDir) throws
IOException {
+ public void allCiphersAreIncompatible(@WorkDirectory Path workDir) throws
IOException {
+ KeyStoreView keyStore = createValidKeyStoreConfig(workDir);
+ validate(new StubSslView(true, "NONE", "foo", keyStore, null),
+ "None of the configured cipher suites are supported: [foo]");
+ }
+
+ @Test
+ public void someCiphersAreIncompatible(@WorkDirectory Path workDir) throws
IOException {
KeyStoreView keyStore = createValidKeyStoreConfig(workDir);
validate(new StubSslView(true, "NONE", "foo, TLS_AES_256_GCM_SHA384",
keyStore, null),
- "There are unsupported cipher suites: [foo]");
+ (String[]) null);
}
@Test
- public void validCipherName(@WorkDirectory Path workDir) throws
IOException {
+ public void allCiphersAreCompatible(@WorkDirectory Path workDir) throws
IOException {
KeyStoreView keyStore = createValidKeyStoreConfig(workDir);
validate(new StubSslView(true, "NONE", "TLS_AES_256_GCM_SHA384",
keyStore, null),
(String[]) null);
