This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5df5124 RANGER-3153: Updated TLS version to 1.2 for ranger
5df5124 is described below
commit 5df512439c85199abacb84675b91d0b704fb61f0
Author: Sailaja Polavarapu <[email protected]>
AuthorDate: Thu Jan 28 13:05:28 2021 -0800
RANGER-3153: Updated TLS version to 1.2 for ranger
---
.../main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java | 6 +++---
.../src/main/resources/conf.dist/ranger-admin-default-site.xml | 4 ++--
.../apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java | 2 +-
unixauthservice/conf.dist/ranger-ugsync-default.xml | 2 +-
.../org/apache/ranger/authentication/UnixAuthenticationService.java | 4 ++--
5 files changed, 9 insertions(+), 9 deletions(-)
diff --git
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 757461d..8edcbbb 100644
---
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -77,7 +77,7 @@ public class EmbeddedServer {
private static final String KMS_SERVER_NAME = "rangerkms";
public static final String RANGER_KEYSTORE_FILE_TYPE_DEFAULT =
KeyStore.getDefaultType();
public static final String RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT =
KeyStore.getDefaultType();
- public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLS";
+ public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLSv1.2";
public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE =
KeyManagerFactory.getDefaultAlgorithm();
public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE =
TrustManagerFactory.getDefaultAlgorithm();
@@ -151,7 +151,7 @@ public class EmbeddedServer {
ssl.setSecure(true);
ssl.setScheme("https");
ssl.setAttribute("SSLEnabled", "true");
- ssl.setAttribute("sslProtocol",
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol",
"TLS"));
+ ssl.setAttribute("sslProtocol",
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol",
"TLSv1.2"));
ssl.setAttribute("keystoreType",
EmbeddedServerUtil.getConfig("ranger.keystore.file.type",
RANGER_KEYSTORE_FILE_TYPE_DEFAULT));
ssl.setAttribute("truststoreType",
EmbeddedServerUtil.getConfig("ranger.truststore.file.type",
RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT));
String clientAuth =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.clientAuth", "false");
@@ -172,7 +172,7 @@ public class EmbeddedServer {
ssl.setAttribute("keystorePass", keystorePass);
ssl.setAttribute("keystoreFile", getKeystoreFile());
- String defaultEnabledProtocols = "SSLv2Hello, TLSv1,
TLSv1.1, TLSv1.2";
+ String defaultEnabledProtocols = "TLSv1.2";
String enabledProtocols =
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.enabled.protocols",
defaultEnabledProtocols);
ssl.setAttribute("sslEnabledProtocols",
enabledProtocols);
String ciphers =
EmbeddedServerUtil.getConfig("ranger.tomcat.ciphers");
diff --git
a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index fd957ca..8842071 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -288,7 +288,7 @@
<property>
<name>ranger.service.https.attrib.ssl.protocol</name>
- <value>TLS</value>
+ <value>TLSv1.2</value>
</property>
<property>
@@ -592,7 +592,7 @@
</property>
<property>
<name>ranger.service.https.attrib.ssl.enabled.protocols</name>
- <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+ <value>TLSv1.2</value>
</property>
<!-- Encryption -->
<property>
diff --git
a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
index e97c477..b361835 100644
---
a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
+++
b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
@@ -104,7 +104,7 @@ public class CustomSSLSocketFactory extends
SSLSocketFactory{
}
}
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmList, tmList, new SecureRandom());
sockFactory = sslContext.getSocketFactory();
diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml
b/unixauthservice/conf.dist/ranger-ugsync-default.xml
index 0f88aa3..9cedc99 100644
--- a/unixauthservice/conf.dist/ranger-ugsync-default.xml
+++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml
@@ -27,7 +27,7 @@
</property>
<property>
<name>ranger.usersync.https.ssl.enabled.protocols</name>
- <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+ <value>TLSv1.2</value>
</property>
<property>
<name>ranger.usersync.passwordvalidator.path</name>
diff --git
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 92eb229..6e401b8 100644
---
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -58,7 +58,7 @@ public class UnixAuthenticationService {
private static final String serviceName = "UnixAuthenticationService";
- private static final String SSL_ALGORITHM = "TLS";
+ private static final String SSL_ALGORITHM = "TLSv1.2";
private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM =
"ranger.usersync.port";
private static final String SSL_KEYSTORE_PATH_PARAM =
"ranger.usersync.keystore.file";
@@ -237,7 +237,7 @@ public class UnixAuthenticationService {
String SSLEnabledProp = prop.getProperty(SSL_ENABLED_PARAM);
SSLEnabled = (SSLEnabledProp != null &&
(SSLEnabledProp.equalsIgnoreCase("true")));
- String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1,
TLSv1.2";
+ String defaultEnabledProtocols = "TLSv1.2";
String enabledProtocols =
prop.getProperty("ranger.usersync.https.ssl.enabled.protocols",
defaultEnabledProtocols);
enabledProtocolsList=new
ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
// LOG.info("Key:" + keyStorePath);