This is an automated email from the ASF dual-hosted git repository.
zhangduo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/master by this push:
new d8b5198cfb5 HBASE-28122: Support TLSv1.3 cipher suites (#5444)
d8b5198cfb5 is described below
commit d8b5198cfb50823577afd6a66c7fc5d401c825d9
Author: Charles Connell <char...@connells.org>
AuthorDate: Wed Nov 8 20:03:01 2023 -0500
HBASE-28122: Support TLSv1.3 cipher suites (#5444)
Co-authored-by: Charles Connell <cconn...@hubspot.com>
Signed-off-by: Duo Zhang <zhang...@apache.org>
---
.../hadoop/hbase/io/crypto/tls/X509Util.java | 39 +++++++++++++---------
.../hadoop/hbase/io/crypto/tls/TestX509Util.java | 8 ++---
2 files changed, 28 insertions(+), 19 deletions(-)
diff --git
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
index 7d16a82b1f3..41acfbbf48f 100644
---
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
+++
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -115,6 +115,10 @@ public final class X509Util {
"hbase.client.netty.tls.handshaketimeout";
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
+ private static String[] getTls13Ciphers() {
+ return new String[] { "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384" };
+ }
+
private static String[] getGCMCiphers() {
return new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
@@ -136,14 +140,17 @@ public final class X509Util {
// Note that this performance assumption might not hold true for
architectures other than x86_64.
private static final String[] DEFAULT_CIPHERS_JAVA9 =
ObjectArrays.concat(getGCMCiphers(), getCBCCiphers(), String.class);
+ private static final String[] DEFAULT_CIPHERS_JAVA11 =
+ ObjectArrays.concat(ObjectArrays.concat(getTls13Ciphers(),
getGCMCiphers(), String.class),
+ getCBCCiphers(), String.class);
private static final String[] DEFAULT_CIPHERS_OPENSSL =
getOpenSslFilteredDefaultCiphers();
/**
* Not all of our default ciphers are available in OpenSSL. Takes our
default cipher lists and
- * filters them to only those available in OpenSsl. Does GCM first, then CBC
because GCM tends to
- * be better and faster, and we don't need to worry about the java8 vs 9
performance issue if
- * OpenSSL is handling it.
+ * filters them to only those available in OpenSsl. Prefers TLS 1.3, then
GCM, then CBC because
+ * GCM tends to be better and faster, and we don't need to worry about the
java8 vs 9 performance
+ * issue if OpenSSL is handling it.
*/
private static String[] getOpenSslFilteredDefaultCiphers() {
if (!OpenSsl.isAvailable()) {
@@ -152,16 +159,9 @@ public final class X509Util {
Set<String> openSslSuites = OpenSsl.availableJavaCipherSuites();
List<String> defaultSuites = new ArrayList<>();
- for (String cipher : getGCMCiphers()) {
- if (openSslSuites.contains(cipher)) {
- defaultSuites.add(cipher);
- }
- }
- for (String cipher : getCBCCiphers()) {
- if (openSslSuites.contains(cipher)) {
- defaultSuites.add(cipher);
- }
- }
+
Arrays.stream(getTls13Ciphers()).filter(openSslSuites::contains).forEach(defaultSuites::add);
+
Arrays.stream(getGCMCiphers()).filter(openSslSuites::contains).forEach(defaultSuites::add);
+
Arrays.stream(getCBCCiphers()).filter(openSslSuites::contains).forEach(defaultSuites::add);
return defaultSuites.toArray(new String[0]);
}
@@ -219,10 +219,19 @@ public final class X509Util {
static String[] getDefaultCipherSuitesForJavaVersion(String javaVersion) {
Objects.requireNonNull(javaVersion);
+
if (javaVersion.matches("\\d+")) {
// Must be Java 9 or later
- LOG.debug("Using Java9+ optimized cipher suites for Java version {}",
javaVersion);
- return DEFAULT_CIPHERS_JAVA9;
+ int javaVersionInt = Integer.parseInt(javaVersion);
+ if (javaVersionInt >= 11) {
+ LOG.debug(
+ "Using Java11+ optimized cipher suites for Java version {},
including TLSv1.3 support",
+ javaVersion);
+ return DEFAULT_CIPHERS_JAVA11;
+ } else {
+ LOG.debug("Using Java9+ optimized cipher suites for Java version {}",
javaVersion);
+ return DEFAULT_CIPHERS_JAVA9;
+ }
} else if (javaVersion.startsWith("1.")) {
// Must be Java 1.8 or earlier
LOG.debug("Using Java8 optimized cipher suites for Java version {}",
javaVersion);
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
index dd81403af6f..dd43f8be5cb 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
@@ -379,21 +379,21 @@ public class TestX509Util extends
AbstractTestX509Parameterized {
public void testGetDefaultCipherSuitesJava9() {
String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("9");
// Java 9+ default should have the GCM suites first
- assertThat(cipherSuites[0], containsString("GCM"));
+ assertEquals(cipherSuites[0], "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
}
@Test
public void testGetDefaultCipherSuitesJava10() {
String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("10");
// Java 9+ default should have the GCM suites first
- assertThat(cipherSuites[0], containsString("GCM"));
+ assertEquals(cipherSuites[0], "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
}
@Test
public void testGetDefaultCipherSuitesJava11() {
String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("11");
- // Java 9+ default should have the GCM suites first
- assertThat(cipherSuites[0], containsString("GCM"));
+ // Java 11+ default should have the TLSv1.3 suites first
+ assertThat(cipherSuites[0], containsString("TLS_AES_128_GCM"));
}
@Test
