cbickel closed pull request #3881: Limit TLS protocols used for kafka and controller URL: https://github.com/apache/incubator-openwhisk/pull/3881
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/ansible/group_vars/all b/ansible/group_vars/all index 729a683527..19a7c9fe69 100644 --- a/ansible/group_vars/all +++ b/ansible/group_vars/all @@ -131,6 +131,8 @@ kafka: - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + protocols: + - TLSv1.2 protocol: "{{ kafka_protocol_for_setup }}" version: 0.11.0.1 port: 9072 diff --git a/ansible/roles/kafka/tasks/deploy.yml b/ansible/roles/kafka/tasks/deploy.yml index 8f195fedce..436fcc9913 100644 --- a/ansible/roles/kafka/tasks/deploy.yml +++ b/ansible/roles/kafka/tasks/deploy.yml @@ -51,6 +51,7 @@ "KAFKA_SSL_TRUSTSTORE_PASSWORD": "{{ kafka.ssl.keystore.password }}" "KAFKA_SSL_CLIENT_AUTH": "{{ kafka.ssl.client_authentication }}" "KAFKA_SSL_CIPHER_SUITES": "{{ kafka.ssl.cipher_suites | join(',') }}" + "KAFKA_SSL_ENABLED_PROTOCOLS": "{{ kafka.ssl.protocols | join(',') }}" # The sed script passed in CUSTOM_INIT_SCRIPT fixes a bug in the wurstmeister dcoker image # by patching the server.configuration file right before kafka is started. # The script adds the missing advertized hostname to the advertised.listener property diff --git a/core/controller/src/main/resources/application.conf b/core/controller/src/main/resources/application.conf index 77ce527c6d..f0a7877a1a 100644 --- a/core/controller/src/main/resources/application.conf +++ b/core/controller/src/main/resources/application.conf @@ -73,11 +73,16 @@ akka { } } -ssl-config.enabledCipherSuites = [ - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", -] +ssl-config { + enabledCipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + ] + enabledProtocols = [ + "TLSv1.2" + ] +} whisk{ # tracing configuration @@ -85,6 +90,3 @@ whisk{ component = "Controller" } } - - - ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services