kileys commented on code in PR #24619: URL: https://github.com/apache/beam/pull/24619#discussion_r1053833328
########## sdks/java/container/java8/java8-security.properties: ########## @@ -0,0 +1,37 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Java 8 java.security properties file override for JVM +# base properties derived from: +# java version "1.8.0_151" +# Java(TM) SE Runtime Environment (build 1.8.0_151-b12) +# Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode) + +# New versions of Java have now disabled TLSv1 and TLSv1.1 +# +# To prevent breakages caused by the deprecation of algorithms during JDK +# updates, we are explictly passing an override to these properties +# to the JVM as a meta option. +# NOTE: GCM is explicitly disabled in Java 8 only, not in Java 11 or 17 Review Comment: Let's not disable GCM since we're not doing it currently ########## sdks/java/container/java11/option-java11-security.json: ########## @@ -0,0 +1,10 @@ +{ + "name": "java-securtiy", Review Comment: ```suggestion "name": "java-security", ``` ########## sdks/java/container/java8/java8-security.properties: ########## @@ -0,0 +1,37 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Java 8 java.security properties file override for JVM +# base properties derived from: +# java version "1.8.0_151" Review Comment: openjdk version "1.8.0_342" OpenJDK Runtime Environment (build 1.8.0_342-b07) OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode) This is the one on the external container (beam_java8_sdk) You'll want to re-check the properties for each version since it'll be different than the legacy containers ########## CHANGES.md: ########## @@ -63,6 +63,10 @@ ## New Features / Improvements * X feature added (Java/Python) ([#X](https://github.com/apache/beam/issues/X)). +* Adding override of allowed TLS algorithms (Java), now maintaining the disabled/legacy algorithms + present in 2.43.0 (up to 1.8.0_151, 11.0.9, 17.0.2 for respective Java versions). This primarily Review Comment: The versions are different in the runner v2 containers ########## sdks/java/container/java17/java17-security.properties: ########## @@ -0,0 +1,44 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Java 17 java.security properties file override for JVM + +# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the +# legacy algorithms list to allow it to be used if something better is not +# available (e.g. TLSv1.2). This will prevent breakages for existing users +# (for example JDBC with MySQL). See +# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 +# for additional details. +# +# GCM is explicitly disabled in Java 8 only because it performs very +# poorly (https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20) +# GCM is not disabled in Java 11 or 17 (https://bugs.openjdk.java.net/browse/JDK-8046943) Review Comment: Same here ########## sdks/java/container/java11/java11-security.properties: ########## @@ -0,0 +1,44 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Java 11 java.security properties file override for JVM + +# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the +# legacy algorithms list to allow it to be used if something better is not +# available (e.g. TLSv1.2). This will prevent breakages for existing users +# (for example JDBC with MySQL). See +# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 +# for additional details. +# +# GCM is explicitly disabled in Java 8 only because it performs very +# poorly (https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20) +# GCM is not disabled in Java 11 or 17 (https://bugs.openjdk.java.net/browse/JDK-8046943) Review Comment: We're not currently disabling it in the runner v2 containers. Remove this comment -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
