[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1338936374
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -81,7 +87,32 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
}
}
-public static final String DEFAULT_PROTOCOL = "TLSv1.2";
+public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();
+
+/**
+ * Return TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
+ * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
+ */
+private static String defaultTlsProtocol() {
+String defaultProtocol = "TLSv1.2";
+List supported = new ArrayList<>();
+try {
+supported =
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
+if (supported.contains("TLSv1.3")) {
+defaultProtocol = "TLSv1.3";
+}
+} catch (NoSuchAlgorithmException e) {
+// Ignore.
+}
+LOG.info("Default TLS protocol is {}, supported TLS protocols are {}",
defaultProtocol, supported);
+return defaultProtocol;
+}
+
+// ChaCha20 was introduced in OpenJDK 11.0.15 and it is not supported by
JDK8.
+private static String[] getTLSv13Ciphers() {
+return new String[]{"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"};
+}
Review Comment:
Since the cipher list is hardcoded, I needed to extend it with TLSv1.3
ciphers. My approach was to list all TLSv1.3 ciphers that JDK would normally
enable by default. So, I created the list by checking what
`SSLServerSocketFactory.getDefault().getDefaultCipherSuites()` returns on
recent JDK, and out from that list I picked the ones that are for TLSv1.3. This
also happens to match with list recommended here
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility.
There are more TLSv1.3 ciphers in JDK, but Java does not enable them by
default
https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#jsse-cipher-suite-names
(see rows where column "Introduced in" says TLSv1.3).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1338906170
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -91,18 +127,22 @@ private static String[] getCBCCiphers() {
return new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
}
-private static String[] concatArrays(String[] left, String[] right) {
-String[] result = new String[left.length + right.length];
-System.arraycopy(left, 0, result, 0, left.length);
-System.arraycopy(right, 0, result, left.length, right.length);
-return result;
+/**
+ * Returns a filtered set of ciphers, where ciphers not supported by the
JDK are removed.
+ */
+private static String[] getSupportedCiphers(String[]... cipherLists) {
+List supported = Arrays.asList(
+((SSLServerSocketFactory)
SSLServerSocketFactory.getDefault()).getSupportedCipherSuites());
Review Comment:
Filtering allows including `TLS_CHACHA20_POLY1305_SHA256` in the TLSv1.3
cipher list, even though it is only supported by JDK 11.0.15 and later.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1338229830
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -90,18 +121,30 @@ private static String[] getCBCCiphers() {
return new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
}
-private static String[] concatArrays(String[] left, String[] right) {
-String[] result = new String[left.length + right.length];
-System.arraycopy(left, 0, result, 0, left.length);
-System.arraycopy(right, 0, result, left.length, right.length);
-return result;
+/**
+ * Returns a filtered set of ciphers, where ciphers not supported by the
JDK are removed.
+ */
+private static String[] getSupportedCiphers(String[]... cipherLists) {
Review Comment:
I did not do this change at this point.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1338211860
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -90,18 +121,30 @@ private static String[] getCBCCiphers() {
return new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
}
-private static String[] concatArrays(String[] left, String[] right) {
-String[] result = new String[left.length + right.length];
-System.arraycopy(left, 0, result, 0, left.length);
-System.arraycopy(right, 0, result, left.length, right.length);
-return result;
+/**
+ * Returns a filtered set of ciphers, where ciphers not supported by the
JDK are removed.
+ */
+private static String[] getSupportedCiphers(String[]... cipherLists) {
+Set supported = new HashSet<>(Arrays.asList(
+((SSLServerSocketFactory)
SSLServerSocketFactory.getDefault()).getSupportedCipherSuites()));
+
+List chosen = new ArrayList<>();
+for (String[] ciphers : cipherLists) {
+for (String cipher : ciphers) {
+if (supported.contains(cipher)) {
+chosen.add(cipher);
+}
+}
+}
+return chosen.toArray(new String[0]);
Review Comment:
Changed according to suggestion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1338211360
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -81,7 +87,32 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
}
}
-public static final String DEFAULT_PROTOCOL = "TLSv1.2";
+public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();
+
+/**
+ * Return TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
+ * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
+ */
+private static String defaultTlsProtocol() {
+String defaultProtocol = "TLSv1.2";
Review Comment:
I've added protocol version constants.
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -90,18 +121,30 @@ private static String[] getCBCCiphers() {
return new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
}
-private static String[] concatArrays(String[] left, String[] right) {
-String[] result = new String[left.length + right.length];
-System.arraycopy(left, 0, result, 0, left.length);
-System.arraycopy(right, 0, result, left.length, right.length);
-return result;
+/**
+ * Returns a filtered set of ciphers, where ciphers not supported by the
JDK are removed.
+ */
+private static String[] getSupportedCiphers(String[]... cipherLists) {
+Set supported = new HashSet<>(Arrays.asList(
+((SSLServerSocketFactory)
SSLServerSocketFactory.getDefault()).getSupportedCipherSuites()));
Review Comment:
Changed according to suggestion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1338210923
##
zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java:
##
@@ -102,6 +106,19 @@ public void testCreateSSLContextWithoutCustomProtocol(
init(caKeyType, certKeyType, keyPassword, paramIndex);
SSLContext sslContext = x509Util.getDefaultSSLContext();
assertEquals(X509Util.DEFAULT_PROTOCOL, sslContext.getProtocol());
+
+// Check that TLSv1.3 is selected in JDKs that support it (OpenJDK
8u272 and later).
+List supported =
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
+if (supported.contains("TLSv1.3")) {
+// SSLContext protocol.
+assertEquals("TLSv1.3", sslContext.getProtocol());
+// Enabled protocols.
+
assertThat(Arrays.asList(sslContext.getDefaultSSLParameters().getProtocols()),
+Matchers.containsInAnyOrder(new String[] {"TLSv1.2",
"TLSv1.3"}));
Review Comment:
I've now removed hamcrest matcher use.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1336257400
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -81,7 +87,32 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
}
}
-public static final String DEFAULT_PROTOCOL = "TLSv1.2";
+public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();
+
+/**
+ * Return TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
+ * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
+ */
+private static String defaultTlsProtocol() {
+String defaultProtocol = "TLSv1.2";
+List supported = new ArrayList<>();
+try {
+supported =
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
+if (supported.contains("TLSv1.3")) {
+defaultProtocol = "TLSv1.3";
+}
+} catch (NoSuchAlgorithmException e) {
+// Ignore.
+}
+LOG.info("Default TLS protocol is {}, supported TLS protocols are {}",
defaultProtocol, supported);
+return defaultProtocol;
+}
+
+// ChaCha20 was introduced in OpenJDK 11.0.15 and it is not supported by
JDK8.
+private static String[] getTLSv13Ciphers() {
+return new String[]{"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"};
+}
Review Comment:
Exactly, this whole problem of TLSv1.3 not working _began_ from hardcoded
ciphers in ZK,
https://issues.apache.org/jira/browse/ZOOKEEPER-4415?focusedCommentId=17497994=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17497994
but did not dare to change that - so in a way building on top what existed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1336257400
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -81,7 +87,32 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
}
}
-public static final String DEFAULT_PROTOCOL = "TLSv1.2";
+public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();
+
+/**
+ * Return TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
+ * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
+ */
+private static String defaultTlsProtocol() {
+String defaultProtocol = "TLSv1.2";
+List supported = new ArrayList<>();
+try {
+supported =
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
+if (supported.contains("TLSv1.3")) {
+defaultProtocol = "TLSv1.3";
+}
+} catch (NoSuchAlgorithmException e) {
+// Ignore.
+}
+LOG.info("Default TLS protocol is {}, supported TLS protocols are {}",
defaultProtocol, supported);
+return defaultProtocol;
+}
+
+// ChaCha20 was introduced in OpenJDK 11.0.15 and it is not supported by
JDK8.
+private static String[] getTLSv13Ciphers() {
+return new String[]{"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"};
+}
Review Comment:
Exactly, this whole problem _began_ from hardcoded ciphers in ZK,
https://issues.apache.org/jira/browse/ZOOKEEPER-4415?focusedCommentId=17497994=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17497994
but did not dare to change that - so in a way building on top what existed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [zookeeper] tsaarni commented on a diff in pull request #1919: ZOOKEEPER-4415: Added TLSv1.3 support to server
tsaarni commented on code in PR #1919:
URL: https://github.com/apache/zookeeper/pull/1919#discussion_r1118795100
##
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##
@@ -81,7 +87,29 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
}
}
-public static final String DEFAULT_PROTOCOL = "TLSv1.2";
+public static final String DEFAULT_PROTOCOL = defaultTlsProtocol();
+
+/**
+ * Return TLSv1.3 or TLSv1.2 depending on Java runtime version being used.
+ * TLSv1.3 was first introduced in JDK11 and back-ported to OpenJDK 8u272.
+ */
+private static String defaultTlsProtocol() {
+try {
+List supported =
Arrays.asList(SSLContext.getDefault().getSupportedSSLParameters().getProtocols());
+if (supported.contains("TLSv1.3")) {
+return "TLSv1.3";
Review Comment:
I've added log printout.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
