This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 5df5124  RANGER-3153: Updated TLS version to 1.2 for ranger
5df5124 is described below

commit 5df512439c85199abacb84675b91d0b704fb61f0
Author: Sailaja Polavarapu <[email protected]>
AuthorDate: Thu Jan 28 13:05:28 2021 -0800

    RANGER-3153: Updated TLS version to 1.2 for ranger
---
 .../main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java   | 6 +++---
 .../src/main/resources/conf.dist/ranger-admin-default-site.xml      | 4 ++--
 .../apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java  | 2 +-
 unixauthservice/conf.dist/ranger-ugsync-default.xml                 | 2 +-
 .../org/apache/ranger/authentication/UnixAuthenticationService.java | 4 ++--
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git 
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 757461d..8edcbbb 100644
--- 
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ 
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -77,7 +77,7 @@ public class EmbeddedServer {
        private static final String KMS_SERVER_NAME   = "rangerkms";
        public static final String RANGER_KEYSTORE_FILE_TYPE_DEFAULT = 
KeyStore.getDefaultType();
        public static final String RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT = 
KeyStore.getDefaultType();
-       public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLS";
+       public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLSv1.2";
        public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = 
KeyManagerFactory.getDefaultAlgorithm();
        public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = 
TrustManagerFactory.getDefaultAlgorithm();
 
@@ -151,7 +151,7 @@ public class EmbeddedServer {
                        ssl.setSecure(true);
                        ssl.setScheme("https");
                        ssl.setAttribute("SSLEnabled", "true");
-                       ssl.setAttribute("sslProtocol", 
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol", 
"TLS"));
+                       ssl.setAttribute("sslProtocol", 
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol", 
"TLSv1.2"));
                        ssl.setAttribute("keystoreType", 
EmbeddedServerUtil.getConfig("ranger.keystore.file.type", 
RANGER_KEYSTORE_FILE_TYPE_DEFAULT));
                        ssl.setAttribute("truststoreType", 
EmbeddedServerUtil.getConfig("ranger.truststore.file.type", 
RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT));
                        String clientAuth = 
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.clientAuth", "false");
@@ -172,7 +172,7 @@ public class EmbeddedServer {
                        ssl.setAttribute("keystorePass", keystorePass);
                        ssl.setAttribute("keystoreFile", getKeystoreFile());
 
-                       String defaultEnabledProtocols = "SSLv2Hello, TLSv1, 
TLSv1.1, TLSv1.2";
+                       String defaultEnabledProtocols = "TLSv1.2";
                        String enabledProtocols = 
EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.enabled.protocols",
 defaultEnabledProtocols);
                        ssl.setAttribute("sslEnabledProtocols", 
enabledProtocols);
                        String ciphers = 
EmbeddedServerUtil.getConfig("ranger.tomcat.ciphers");
diff --git 
a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index fd957ca..8842071 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -288,7 +288,7 @@
 
        <property>
                <name>ranger.service.https.attrib.ssl.protocol</name>
-               <value>TLS</value>
+               <value>TLSv1.2</value>
        </property>
 
        <property>
@@ -592,7 +592,7 @@
        </property>
         <property>
                 <name>ranger.service.https.attrib.ssl.enabled.protocols</name>
-                <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+                <value>TLSv1.2</value>
         </property>
         <!-- Encryption -->
        <property>
diff --git 
a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
 
b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
index e97c477..b361835 100644
--- 
a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
+++ 
b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
@@ -104,7 +104,7 @@ public class CustomSSLSocketFactory extends 
SSLSocketFactory{
                                }
                        }
 
-                       sslContext = SSLContext.getInstance("TLS");
+                       sslContext = SSLContext.getInstance("TLSv1.2");
 
                        sslContext.init(kmList, tmList, new SecureRandom());
                        sockFactory = sslContext.getSocketFactory();
diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml 
b/unixauthservice/conf.dist/ranger-ugsync-default.xml
index 0f88aa3..9cedc99 100644
--- a/unixauthservice/conf.dist/ranger-ugsync-default.xml
+++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml
@@ -27,7 +27,7 @@
        </property>
        <property>
                <name>ranger.usersync.https.ssl.enabled.protocols</name>
-               <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+               <value>TLSv1.2</value>
        </property>
        <property>
                <name>ranger.usersync.passwordvalidator.path</name>
diff --git 
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
 
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 92eb229..6e401b8 100644
--- 
a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ 
b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -58,7 +58,7 @@ public class UnixAuthenticationService {
 
        private static final String serviceName = "UnixAuthenticationService";
 
-       private static final String SSL_ALGORITHM = "TLS";
+       private static final String SSL_ALGORITHM = "TLSv1.2";
        private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = 
"ranger.usersync.port";
 
        private static final String SSL_KEYSTORE_PATH_PARAM = 
"ranger.usersync.keystore.file";
@@ -237,7 +237,7 @@ public class UnixAuthenticationService {
                String SSLEnabledProp = prop.getProperty(SSL_ENABLED_PARAM);
                
                SSLEnabled = (SSLEnabledProp != null &&  
(SSLEnabledProp.equalsIgnoreCase("true")));
-               String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, 
TLSv1.2";
+               String defaultEnabledProtocols = "TLSv1.2";
                String enabledProtocols = 
prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", 
defaultEnabledProtocols);
                enabledProtocolsList=new 
ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
 //             LOG.info("Key:" + keyStorePath);

Reply via email to