This is an automated email from the ASF dual-hosted git repository.
stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix-omid.git
The following commit(s) were added to refs/heads/master by this push:
new a391a29c OMID-317 Add TLSv1.3 to default protocols if supported by JRE
(#197)
a391a29c is described below
commit a391a29cd02244a2bb0e1b1f0a3da766d920af04
Author: Istvan Toth <[email protected]>
AuthorDate: Thu Jul 10 10:35:40 2025 +0200
OMID-317 Add TLSv1.3 to default protocols if supported by JRE (#197)
---
.../main/java/org/apache/omid/tls/X509Util.java | 35 ++++++++++++++++++----
.../java/org/apache/omid/tls/TestX509Util.java | 20 ++++++-------
.../omid/tso/client/OmidClientConfiguration.java | 4 +--
.../apache/omid/tso/client/TestGetSslContext.java | 2 +-
.../tso/client/TestOmidClientConfiguration.java | 5 ++--
.../java/org/apache/omid/tso/TSOServerConfig.java | 4 +--
.../org/apache/omid/tso/TSOServerConfigTest.java | 5 ++--
7 files changed, 50 insertions(+), 25 deletions(-)
diff --git a/common/src/main/java/org/apache/omid/tls/X509Util.java
b/common/src/main/java/org/apache/omid/tls/X509Util.java
index a6d2108c..08cf8f5f 100644
--- a/common/src/main/java/org/apache/omid/tls/X509Util.java
+++ b/common/src/main/java/org/apache/omid/tls/X509Util.java
@@ -33,18 +33,19 @@ import java.io.InputStream;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
+import java.util.ArrayList;
import java.util.Arrays;
+import java.util.List;
/**
- * Utility code for X509 handling Default cipher suites: Performance testing
done by Facebook
- * engineers shows that on Intel x86_64 machines, Java9 performs better with
GCM and Java8 performs
- * better with CBC, so these seem like reasonable defaults.
+ * Utility code for X509 handling Default cipher suites.
* <p/>
- * This file has is based on the one in HBase project.
+ * This file has is based on the one in HBase project, which is based on the
one in Zookeeper.
* @see <a href=
*
"https://github.com/apache/hbase/blob/d2b0074f7ad4c43d31a1a511a0d74feda72451d1/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java";>Base
* revision</a>
@@ -54,15 +55,37 @@ public final class X509Util {
private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
private static final char[] EMPTY_CHAR_ARRAY = new char[0];
+ public static final String TLS_1_2 = "TLSv1.2";
+ public static final String TLS_1_3 = "TLSv1.3";
+
// Config
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
- public static final String DEFAULT_PROTOCOL = "TLSv1.2";
+ public static final String DEFAULT_PROTOCOLS = defaultTlsProtocols();
private X509Util() {
// disabled
}
+ // For recent JDKs we could have just used the JVM defaults.
+ // This is only needed for pre JDK-8202343 Java 8 and 11 to avoid a
regression of allowing
+ // pre TLSv1.2 protocols by default.
+ // As Omid only supports the JRE provider, we don't need to worry about
tcnative stuff.
+ private static String defaultTlsProtocols() {
+ String defaultProtocol = TLS_1_2;
+ List<String> supported = new ArrayList<>();
+ try {
+ supported =
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
+ if (supported.contains(TLS_1_3)) {
+ defaultProtocol = TLS_1_3 + "," + TLS_1_2;
+ }
+ } catch (NoSuchAlgorithmException e) {
+ // Ignore.
+ }
+ LOG.info("Default TLS protocols are {}, supported TLS protocols are
{}", defaultProtocol, supported);
+ return defaultProtocol;
+ }
+
public static SslContext createSslContextForClient(String
keyStoreLocation, char[] keyStorePassword,
String keyStoreType,
String trustStoreLocation, char[] trustStorePassword, String trustStoreType,
boolean sslCrlEnabled,
boolean sslOcspEnabled, String enabledProtocols, String cipherSuites, String
tlsConfigProtocols)
@@ -229,7 +252,7 @@ public final class X509Util {
private static String[] getEnabledProtocols(String enabledProtocolsInput,
String tlsConfigProtocols) {
if (enabledProtocolsInput == null) {
- return new String[] {tlsConfigProtocols};
+ return tlsConfigProtocols.split(",");
}
return enabledProtocolsInput.split(",");
}
diff --git a/common/src/test/java/org/apache/omid/tls/TestX509Util.java
b/common/src/test/java/org/apache/omid/tls/TestX509Util.java
index 37ed93ce..31f75bc4 100644
--- a/common/src/test/java/org/apache/omid/tls/TestX509Util.java
+++ b/common/src/test/java/org/apache/omid/tls/TestX509Util.java
@@ -101,9 +101,9 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
@Test
public void testCreateSSLContextWithoutCustomProtocol() throws Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
- SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
- assertEquals(new String[] { X509Util.DEFAULT_PROTOCOL },
+ assertEquals(X509Util.DEFAULT_PROTOCOLS.split(","),
sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols());
}
@@ -113,7 +113,7 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
init(caKeyType, certKeyType, keyPassword, paramIndex);
ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
- SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, protocol, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, protocol, null, X509Util.DEFAULT_PROTOCOLS);
assertEquals(Collections.singletonList(protocol),
Arrays.asList(sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols()));
}
@@ -122,14 +122,14 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
public void testCreateSSLContextWithoutKeyStoreLocationServer() throws
Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
tlsConfigKeystoreLocation = "";
- SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
}
@Test
public void testCreateSSLContextWithoutKeyStoreLocationClient() throws
Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
tlsConfigKeystoreLocation = "";
- SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
}
@Test(expected = X509Exception.class)
@@ -139,21 +139,21 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
throw new X509Exception.SSLContextException("");
}
tlsConfigKeystorePassword = "";
- SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
}
@Test
public void testCreateSSLContextWithoutTrustStoreLocationClient() throws
Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
tlsConfigTrustLocation = "";
- SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForClient(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
}
@Test
public void testCreateSSLContextWithoutTrustStoreLocationServer() throws
Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
tlsConfigTrustLocation = "";
- SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
}
// It would be great to test the value of
PKIXBuilderParameters#setRevocationEnabled,
@@ -161,7 +161,7 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
@Test
public void testCRLEnabled() throws Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
- SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, true, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, true, false, null, null, X509Util.DEFAULT_PROTOCOLS);
assertTrue(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation")));
assertTrue(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP")));
assertFalse(Boolean.valueOf(Security.getProperty("ocsp.enable")));
@@ -170,7 +170,7 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
@Test
public void testCRLDisabled() throws Exception {
init(caKeyType, certKeyType, keyPassword, paramIndex);
- SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOL);
+ SslContext sslContext =
X509Util.createSslContextForServer(tlsConfigKeystoreLocation,
tlsConfigKeystorePassword.toCharArray(), tlsConfigKeystoreType,
tlsConfigTrustLocation, tlsConfigTrustPassword.toCharArray(),
tlsConfigTrustType, false, false, null, null, X509Util.DEFAULT_PROTOCOLS);
assertFalse(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation")));
assertFalse(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP")));
assertFalse(Boolean.valueOf(Security.getProperty("ocsp.enable")));
diff --git
a/transaction-client/src/main/java/org/apache/omid/tso/client/OmidClientConfiguration.java
b/transaction-client/src/main/java/org/apache/omid/tso/client/OmidClientConfiguration.java
index d68a63fe..b2463739 100644
---
a/transaction-client/src/main/java/org/apache/omid/tso/client/OmidClientConfiguration.java
+++
b/transaction-client/src/main/java/org/apache/omid/tso/client/OmidClientConfiguration.java
@@ -23,7 +23,7 @@ import org.apache.omid.YAMLUtils;
import
org.apache.phoenix.thirdparty.com.google.common.annotations.VisibleForTesting;
import static
org.apache.omid.tls.X509Util.DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS;
-import static org.apache.omid.tls.X509Util.DEFAULT_PROTOCOL;
+import static org.apache.omid.tls.X509Util.DEFAULT_PROTOCOLS;
/**
* Configuration for Omid client side
@@ -83,7 +83,7 @@ public class OmidClientConfiguration {
private String cipherSuites;
- private String tlsConfigProtocols = DEFAULT_PROTOCOL;
+ private String tlsConfigProtocols = DEFAULT_PROTOCOLS;
//
----------------------------------------------------------------------------------------------------------------
// Instantiation
diff --git
a/transaction-client/src/test/java/org/apache/omid/tso/client/TestGetSslContext.java
b/transaction-client/src/test/java/org/apache/omid/tso/client/TestGetSslContext.java
index 24de8dae..4ce780ca 100644
---
a/transaction-client/src/test/java/org/apache/omid/tso/client/TestGetSslContext.java
+++
b/transaction-client/src/test/java/org/apache/omid/tso/client/TestGetSslContext.java
@@ -68,7 +68,7 @@ public class TestGetSslContext {
SslContext sslContext = tsoClient.getSslContext(tsoClientConf);
ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
- Assert.assertEquals(new String[] { X509Util.DEFAULT_PROTOCOL },
+ Assert.assertEquals(X509Util.DEFAULT_PROTOCOLS.split(","),
sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols());
Assert.assertEquals(new String[] { cipherSuite },
diff --git
a/transaction-client/src/test/java/org/apache/omid/tso/client/TestOmidClientConfiguration.java
b/transaction-client/src/test/java/org/apache/omid/tso/client/TestOmidClientConfiguration.java
index 0a3b288c..a0b795a1 100644
---
a/transaction-client/src/test/java/org/apache/omid/tso/client/TestOmidClientConfiguration.java
+++
b/transaction-client/src/test/java/org/apache/omid/tso/client/TestOmidClientConfiguration.java
@@ -20,6 +20,7 @@ package org.apache.omid.tso.client;
import org.testng.Assert;
import org.testng.annotations.Test;
import org.apache.omid.tso.client.OmidClientConfiguration.ConnType;
+import org.apache.omid.tls.X509Util;
import
org.apache.omid.tso.client.OmidClientConfiguration.ConflictDetectionLevel;
public class TestOmidClientConfiguration {
@@ -30,7 +31,7 @@ public class TestOmidClientConfiguration {
Assert.assertEquals(configuration.getConnectionString(),
"localhost:24758");
Assert.assertEquals(configuration.getConnectionType(),
ConnType.DIRECT);
Assert.assertEquals(configuration.getEnabledProtocols(), null);
- Assert.assertEquals(configuration.getTsConfigProtocols(), "TLSv1.2");
+ Assert.assertEquals(configuration.getTsConfigProtocols(),
X509Util.DEFAULT_PROTOCOLS);
Assert.assertEquals(configuration.getTlsEnabled(), false);
Assert.assertEquals(configuration.getKeyStoreLocation(), "");
Assert.assertEquals(configuration.getKeyStorePassword(), "");
@@ -46,7 +47,7 @@ public class TestOmidClientConfiguration {
Assert.assertEquals(configuration.getConnectionString(),
"localhost:24758");
Assert.assertEquals(configuration.getConnectionType(),
ConnType.DIRECT);
Assert.assertEquals(configuration.getEnabledProtocols(), "TLSv1.2");
- Assert.assertEquals(configuration.getTsConfigProtocols(), "TLSv1.2");
+ Assert.assertEquals(configuration.getTsConfigProtocols(),
X509Util.DEFAULT_PROTOCOLS);
Assert.assertEquals(configuration.getTlsEnabled(), true);
Assert.assertEquals(configuration.getKeyStoreLocation(), "/asd");
Assert.assertEquals(configuration.getKeyStorePassword(), "pass");
diff --git a/tso-server/src/main/java/org/apache/omid/tso/TSOServerConfig.java
b/tso-server/src/main/java/org/apache/omid/tso/TSOServerConfig.java
index b1e7a066..d0a02cac 100644
--- a/tso-server/src/main/java/org/apache/omid/tso/TSOServerConfig.java
+++ b/tso-server/src/main/java/org/apache/omid/tso/TSOServerConfig.java
@@ -27,7 +27,7 @@ import org.apache.omid.tools.hbase.SecureHBaseConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import static org.apache.omid.tls.X509Util.DEFAULT_PROTOCOL;
+import static org.apache.omid.tls.X509Util.DEFAULT_PROTOCOLS;
/**
* Reads the configuration parameters of a TSO server instance from
CONFIG_FILE_NAME.
@@ -118,7 +118,7 @@ public class TSOServerConfig extends SecureHBaseConfig {
private String cipherSuites;
- private String tlsConfigProtocols = DEFAULT_PROTOCOL;
+ private String tlsConfigProtocols = DEFAULT_PROTOCOLS;
public boolean getMonitorContext() {
return monitorContext;
diff --git
a/tso-server/src/test/java/org/apache/omid/tso/TSOServerConfigTest.java
b/tso-server/src/test/java/org/apache/omid/tso/TSOServerConfigTest.java
index 4359d9b0..53923b5f 100644
--- a/tso-server/src/test/java/org/apache/omid/tso/TSOServerConfigTest.java
+++ b/tso-server/src/test/java/org/apache/omid/tso/TSOServerConfigTest.java
@@ -17,6 +17,7 @@
*/
package org.apache.omid.tso;
+import org.apache.omid.tls.X509Util;
import org.testng.Assert;
import org.testng.annotations.Test;
@@ -28,7 +29,7 @@ public class TSOServerConfigTest {
Assert.assertEquals(tsoServerConfig.getTlsEnabled(), false);
Assert.assertEquals(tsoServerConfig.getSupportPlainText(), true);
Assert.assertEquals(tsoServerConfig.getEnabledProtocols(), null);
- Assert.assertEquals(tsoServerConfig.getTsConfigProtocols(), "TLSv1.2");
+ Assert.assertEquals(tsoServerConfig.getTsConfigProtocols(),
X509Util.DEFAULT_PROTOCOLS);
Assert.assertEquals(tsoServerConfig.getKeyStoreLocation(), "");
Assert.assertEquals(tsoServerConfig.getKeyStorePassword(), "");
Assert.assertEquals(tsoServerConfig.getKeyStoreType(), "");
@@ -45,7 +46,7 @@ public class TSOServerConfigTest {
Assert.assertEquals(tsoServerConfig.getSupportPlainText(), false);
Assert.assertEquals(tsoServerConfig.getEnabledProtocols(), "TLSv1.2");
- Assert.assertEquals(tsoServerConfig.getTsConfigProtocols(), "TLSv1.2");
+ Assert.assertEquals(tsoServerConfig.getTsConfigProtocols(),
X509Util.DEFAULT_PROTOCOLS);
Assert.assertEquals(tsoServerConfig.getKeyStoreLocation(), "/asd");
Assert.assertEquals(tsoServerConfig.getKeyStorePassword(), "pass");
