[GitHub] cbickel closed pull request #3881: Limit TLS protocols used for kafka and controller

Tue, 17 Jul 2018 23:49:58 -0700 

cbickel closed pull request #3881: Limit TLS protocols used for kafka and 
controller
URL: https://github.com/apache/incubator-openwhisk/pull/3881
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 729a683527..19a7c9fe69 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -131,6 +131,8 @@ kafka:
     - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    protocols:
+    - TLSv1.2
   protocol: "{{ kafka_protocol_for_setup }}"
   version: 0.11.0.1
   port: 9072
diff --git a/ansible/roles/kafka/tasks/deploy.yml 
b/ansible/roles/kafka/tasks/deploy.yml
index 8f195fedce..436fcc9913 100644
--- a/ansible/roles/kafka/tasks/deploy.yml
+++ b/ansible/roles/kafka/tasks/deploy.yml
@@ -51,6 +51,7 @@
       "KAFKA_SSL_TRUSTSTORE_PASSWORD": "{{ kafka.ssl.keystore.password }}"
       "KAFKA_SSL_CLIENT_AUTH": "{{ kafka.ssl.client_authentication }}"
       "KAFKA_SSL_CIPHER_SUITES": "{{ kafka.ssl.cipher_suites | join(',') }}"
+      "KAFKA_SSL_ENABLED_PROTOCOLS": "{{ kafka.ssl.protocols | join(',') }}"
     # The sed script passed in CUSTOM_INIT_SCRIPT fixes a bug in the 
wurstmeister dcoker image
     # by patching the server.configuration file right before kafka is started.
     # The script adds the missing advertized hostname to the 
advertised.listener property
diff --git a/core/controller/src/main/resources/application.conf 
b/core/controller/src/main/resources/application.conf
index 77ce527c6d..f0a7877a1a 100644
--- a/core/controller/src/main/resources/application.conf
+++ b/core/controller/src/main/resources/application.conf
@@ -73,11 +73,16 @@ akka {
   }
 }
 
-ssl-config.enabledCipherSuites = [
-  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-]
+ssl-config {
+  enabledCipherSuites = [
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+  ]
+  enabledProtocols = [
+    "TLSv1.2"
+  ]
+}
 
 whisk{
   # tracing configuration
@@ -85,6 +90,3 @@ whisk{
     component = "Controller"
   }
 }
-
-
-


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to