TINKERPOP-2023 default to TLSv1.2, updated upgrade notes
Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/ca83fbdf Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/ca83fbdf Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/ca83fbdf Branch: refs/heads/master Commit: ca83fbdfdc885a9774ba1dbc17b3d9df75c49137 Parents: e3b4ae5 Author: Robert Dale <robd...@gmail.com> Authored: Sun Aug 12 21:50:02 2018 -0400 Committer: Robert Dale <robd...@gmail.com> Committed: Fri Aug 17 15:06:33 2018 -0400 ---------------------------------------------------------------------- CHANGELOG.asciidoc | 1 + .../upgrade/release-3.2.x-incubating.asciidoc | 25 ++++++++++++++++++++ gremlin-console/conf/remote-secure.yaml | 2 +- .../conf/gremlin-server-rest-secure.yaml | 1 + gremlin-server/conf/gremlin-server-secure.yaml | 1 + 5 files changed, 29 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/CHANGELOG.asciidoc ---------------------------------------------------------------------- diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index eb1a6c5..9dec8df 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -23,6 +23,7 @@ image::https://raw.githubusercontent.com/apache/tinkerpop/master/docs/static/ima [[release-3-2-10]] === TinkerPop 3.2.10 (Release Date: NOT OFFICIALLY RELEASED YET) +* SSL security enhancements * Fixed problem with Gremlin Server sometimes returning an additional message after a failure. * Allowed spaces in classpath for `gremlin-server.bat`. * Modified Maven archetype for Gremlin Server to use remote traversals rather than scripts. http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/docs/src/upgrade/release-3.2.x-incubating.asciidoc ---------------------------------------------------------------------- diff --git a/docs/src/upgrade/release-3.2.x-incubating.asciidoc b/docs/src/upgrade/release-3.2.x-incubating.asciidoc index af03937..9b0a120 100644 --- a/docs/src/upgrade/release-3.2.x-incubating.asciidoc +++ b/docs/src/upgrade/release-3.2.x-incubating.asciidoc @@ -29,6 +29,31 @@ Please see the link:https://github.com/apache/tinkerpop/blob/3.2.10/CHANGELOG.as === Upgrading for Users +==== SSL Security + +TinkerPop improves its security posture by removing insecure defaults and adding forward-looking standards support. + +Gremlin Server no longer supports automatically creating self-signed certificates. +Self-signed certificates can still be created manually outside of Gremlin Server. +If ssl is enabled, a key store must be configured. + +Cluster client no longer trusts all certs by default as this is an insecure configuration. +Instead, if no trust store is configured, Cluster will use the default CA certs. +To revert to the previous behavior and accept all certs, it must be explicitly configured. + +This release introduces JKS and PKCS12 support. JKS is the legacy Java Key Store. PKCS12 has better cross-platform support and is gaining in adoption. +Be aware that JKS is the default on Java 8. Java 9 and higher use PKCS12 as the default. Both Java keytool and OpenSSL tools can create, read, update PKCS12 files. + +Other new features include specifying SSL protocols and cipher suites. +The packaged `*-secure.yaml` files now restrict the protocol to `TLSv1.2` by default. + +PEM-based configurations are deprecated and may be removed in a future release. + +See the section on configuring SSL. + +link:https://issues.apache.org/jira/browse/TINKERPOP-2022[TINKERPOP-2022] +link:https://issues.apache.org/jira/browse/TINKERPOP-2023[TINKERPOP-2023] + ==== Bulk Import and Export TinkerPop has provided some general methods for importing and exporting data, but more and more graph providers are http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-console/conf/remote-secure.yaml ---------------------------------------------------------------------- diff --git a/gremlin-console/conf/remote-secure.yaml b/gremlin-console/conf/remote-secure.yaml index c7a2c44..b0a7309 100644 --- a/gremlin-console/conf/remote-secure.yaml +++ b/gremlin-console/conf/remote-secure.yaml @@ -30,5 +30,5 @@ username: stephen password: password connectionPool: { enableSsl: true, - sslSkipCertValidation: true } + sslEnabledProtocols: [TLSv1.2] } serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }} http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-server/conf/gremlin-server-rest-secure.yaml ---------------------------------------------------------------------- diff --git a/gremlin-server/conf/gremlin-server-rest-secure.yaml b/gremlin-server/conf/gremlin-server-rest-secure.yaml index fcfbba1..2f4db91 100644 --- a/gremlin-server/conf/gremlin-server-rest-secure.yaml +++ b/gremlin-server/conf/gremlin-server-rest-secure.yaml @@ -70,6 +70,7 @@ authentication: { credentialsDb: conf/tinkergraph-credentials.properties}} ssl: { enabled: true, + sslEnabledProtocols: [TLSv1.2], # You must configure a keyStore! #keyStore: server.jks, #keyStorePassword: changeit http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-server/conf/gremlin-server-secure.yaml ---------------------------------------------------------------------- diff --git a/gremlin-server/conf/gremlin-server-secure.yaml b/gremlin-server/conf/gremlin-server-secure.yaml index af46c59..637af12 100644 --- a/gremlin-server/conf/gremlin-server-secure.yaml +++ b/gremlin-server/conf/gremlin-server-secure.yaml @@ -74,6 +74,7 @@ authentication: { credentialsDb: conf/tinkergraph-credentials.properties}} ssl: { enabled: true, + sslEnabledProtocols: [TLSv1.2], # You must configure a keyStore! #keyStore: server.jks, #keyStorePassword: changeit