You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by bu...@apache.org on 2020/10/05 21:50:36 UTC
[geode] 02/02: GEODE-8419: SSL/TLS protocol and cipher suite
configuration is ignored (#5465)
This is an automated email from the ASF dual-hosted git repository.
burcham pushed a commit to branch feature/GEODE-8419-backport-1-13
in repository https://gitbox.apache.org/repos/asf/geode.git
commit ec649411c14b05c38aaf2edb8299a7daf7ed027b
Author: Bruce Schuchardt <bs...@pivotal.io>
AuthorDate: Wed Aug 19 15:27:07 2020 -0700
GEODE-8419: SSL/TLS protocol and cipher suite configuration is ignored (#5465)
* GEODE-8419: SSL/TLS protocol and cipher suite configuration is ignored
Configure cipher suites when creating an SSLEngine
(cherry picked from commit 537721ff815cf40eff85fde65db9b5e787471c89)
---
.../apache/geode/internal/SSLConfigJUnitTest.java | 2 +-
...LSocketHostNameVerificationIntegrationTest.java | 4 +-
.../internal/net/SSLSocketIntegrationTest.java | 4 +-
.../internal/net/SocketCreatorFailHandshake.java | 2 -
.../admin/internal/AdminDistributedSystemImpl.java | 2 +-
.../apache/geode/distributed/LocatorLauncher.java | 2 +-
.../admin/remote/DistributionLocatorId.java | 2 +-
.../admin/remote/RemoteTransportConfig.java | 2 +-
.../geode/internal/net/SCClusterSocketCreator.java | 1 -
.../geode/internal/{admin => net}/SSLConfig.java | 3 +-
.../internal/net/SSLConfigurationFactory.java | 1 -
.../org/apache/geode/internal/net/SSLUtil.java | 66 +++++++++------
.../apache/geode/internal/net/SocketCreator.java | 96 +++++++++++++++-------
.../geode/internal/net/SocketCreatorFactory.java | 1 -
.../org/apache/geode/internal/tcp/Connection.java | 2 +-
.../ContextAwareSSLRMIClientSocketFactory.java | 2 +-
.../management/internal/JmxManagerAdvisee.java | 2 +-
.../internal/JmxManagerLocatorRequest.java | 2 +-
.../geode/management/internal/ManagementAgent.java | 2 +-
.../internal/api/GeodeConnectionConfig.java | 2 +-
...ClusterManagementServiceInfoRequestHandler.java | 2 +-
.../functions/GetMemberInformationFunction.java | 2 +-
.../net/SSLConfigurationFactoryJUnitTest.java | 1 -
.../org/apache/geode/internal/net/SSLUtilTest.java | 84 +++++++++++++++++++
.../geode/internal/net/SocketCreatorJUnitTest.java | 55 ++++++++++++-
.../apache/geode/internal/tcp/TCPConduitTest.java | 2 +-
.../internal/cli/commands/ConnectCommand.java | 2 +-
.../internal/cli/shell/JmxOperationInvoker.java | 2 +-
.../geode/internal/cache/InternalHttpService.java | 2 +-
.../acceptance/CacheConnectionIntegrationTest.java | 2 +-
.../v1/acceptance/CacheOperationsJUnitTest.java | 2 +-
.../geode/tools/pulse/tests/rules/ServerRule.java | 2 +-
.../java/org/apache/geode/redis/SSLTest.java | 2 +-
33 files changed, 271 insertions(+), 89 deletions(-)
diff --git a/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java b/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
index 99ec074..2a3ded9 100755
--- a/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
+++ b/geode-core/src/integrationTest/java/org/apache/geode/internal/SSLConfigJUnitTest.java
@@ -67,7 +67,7 @@ import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.apache.geode.distributed.internal.DistributionConfigImpl;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.test.junit.categories.SecurityTest;
diff --git a/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketHostNameVerificationIntegrationTest.java b/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketHostNameVerificationIntegrationTest.java
index 5483457..dc7df44 100755
--- a/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketHostNameVerificationIntegrationTest.java
+++ b/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketHostNameVerificationIntegrationTest.java
@@ -168,7 +168,7 @@ public class SSLSocketHostNameVerificationIntegrationTest {
this.clientSocket = clientChannel.socket();
SSLEngine sslEngine =
- this.socketCreator.createSSLEngine(this.localHost.getHostName(), 1234);
+ this.socketCreator.createSSLEngine(this.localHost.getHostName(), 1234, true);
try {
this.socketCreator.handshakeSSLSocketChannel(clientSocket.getChannel(),
@@ -200,7 +200,7 @@ public class SSLSocketHostNameVerificationIntegrationTest {
try {
socket = serverSocket.accept();
SocketCreator sc = SocketCreatorFactory.getSocketCreatorForComponent(CLUSTER);
- final SSLEngine sslEngine = sc.createSSLEngine(this.localHost.getHostName(), 1234);
+ final SSLEngine sslEngine = sc.createSSLEngine(this.localHost.getHostName(), 1234, false);
engine =
sc.handshakeSSLSocketChannel(socket.getChannel(),
sslEngine,
diff --git a/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketIntegrationTest.java b/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketIntegrationTest.java
index 4800940..19eab4f 100755
--- a/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketIntegrationTest.java
+++ b/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SSLSocketIntegrationTest.java
@@ -227,7 +227,7 @@ public class SSLSocketIntegrationTest {
clientSocket = clientChannel.socket();
NioSslEngine engine =
clusterSocketCreator.handshakeSSLSocketChannel(clientSocket.getChannel(),
- clusterSocketCreator.createSSLEngine("localhost", 1234), 0, true,
+ clusterSocketCreator.createSSLEngine("localhost", 1234, true), 0, true,
ByteBuffer.allocate(65535), new BufferPool(mock(DMStats.class)));
clientChannel.configureBlocking(true);
@@ -273,7 +273,7 @@ public class SSLSocketIntegrationTest {
socket = serverSocket.accept();
SocketCreator sc = SocketCreatorFactory.getSocketCreatorForComponent(CLUSTER);
- final SSLEngine sslEngine = sc.createSSLEngine("localhost", 1234);
+ final SSLEngine sslEngine = sc.createSSLEngine("localhost", 1234, false);
engine =
sc.handshakeSSLSocketChannel(socket.getChannel(), sslEngine,
timeoutMillis,
diff --git a/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SocketCreatorFailHandshake.java b/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SocketCreatorFailHandshake.java
index 286ec43..d899baa 100644
--- a/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SocketCreatorFailHandshake.java
+++ b/geode-core/src/integrationTest/java/org/apache/geode/internal/net/SocketCreatorFailHandshake.java
@@ -20,8 +20,6 @@ import java.util.List;
import javax.net.ssl.SSLException;
-import org.apache.geode.internal.admin.SSLConfig;
-
/*
* This test class will fail the TLS handshake with an SSLException, by default.
*/
diff --git a/geode-core/src/main/java/org/apache/geode/admin/internal/AdminDistributedSystemImpl.java b/geode-core/src/main/java/org/apache/geode/admin/internal/AdminDistributedSystemImpl.java
index 66ff10f..2c279f9 100755
--- a/geode-core/src/main/java/org/apache/geode/admin/internal/AdminDistributedSystemImpl.java
+++ b/geode-core/src/main/java/org/apache/geode/admin/internal/AdminDistributedSystemImpl.java
@@ -81,7 +81,6 @@ import org.apache.geode.internal.admin.GemFireVM;
import org.apache.geode.internal.admin.GfManagerAgent;
import org.apache.geode.internal.admin.GfManagerAgentConfig;
import org.apache.geode.internal.admin.GfManagerAgentFactory;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.admin.remote.CompactRequest;
import org.apache.geode.internal.admin.remote.DistributionLocatorId;
import org.apache.geode.internal.admin.remote.MissingPersistentIDsRequest;
@@ -96,6 +95,7 @@ import org.apache.geode.internal.logging.Banner;
import org.apache.geode.internal.logging.InternalLogWriter;
import org.apache.geode.internal.logging.LogWriterFactory;
import org.apache.geode.internal.logging.log4j.LogMarker;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.util.concurrent.FutureResult;
import org.apache.geode.logging.internal.LoggingSession;
import org.apache.geode.logging.internal.NullLoggingSession;
diff --git a/geode-core/src/main/java/org/apache/geode/distributed/LocatorLauncher.java b/geode-core/src/main/java/org/apache/geode/distributed/LocatorLauncher.java
index 21294a22..0cd015e 100644
--- a/geode-core/src/main/java/org/apache/geode/distributed/LocatorLauncher.java
+++ b/geode-core/src/main/java/org/apache/geode/distributed/LocatorLauncher.java
@@ -67,9 +67,9 @@ import org.apache.geode.distributed.internal.tcpserver.TcpSocketFactory;
import org.apache.geode.internal.DistributionLocator;
import org.apache.geode.internal.GemFireVersion;
import org.apache.geode.internal.InternalDataSerializer;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.inet.LocalHostUtil;
import org.apache.geode.internal.lang.ObjectUtils;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SocketCreator;
import org.apache.geode.internal.process.ConnectionFailedException;
diff --git a/geode-core/src/main/java/org/apache/geode/internal/admin/remote/DistributionLocatorId.java b/geode-core/src/main/java/org/apache/geode/internal/admin/remote/DistributionLocatorId.java
index 2ede0a1..3af2017 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/admin/remote/DistributionLocatorId.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/admin/remote/DistributionLocatorId.java
@@ -27,8 +27,8 @@ import org.apache.geode.InternalGemFireException;
import org.apache.geode.distributed.Locator;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.inet.LocalHostUtil;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SocketCreator;
/**
diff --git a/geode-core/src/main/java/org/apache/geode/internal/admin/remote/RemoteTransportConfig.java b/geode-core/src/main/java/org/apache/geode/internal/admin/remote/RemoteTransportConfig.java
index 42aa306..ab43000 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/admin/remote/RemoteTransportConfig.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/admin/remote/RemoteTransportConfig.java
@@ -36,8 +36,8 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.membership.api.MembershipInformation;
import org.apache.geode.internal.Assert;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.admin.TransportConfig;
+import org.apache.geode.internal.net.SSLConfig;
/**
* Tranport config for RemoteGfManagerAgent.
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SCClusterSocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SCClusterSocketCreator.java
index 866aa44..1ff585e 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SCClusterSocketCreator.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SCClusterSocketCreator.java
@@ -26,7 +26,6 @@ import javax.net.ssl.SSLServerSocket;
import org.apache.geode.GemFireConfigException;
import org.apache.geode.distributed.internal.tcpserver.ClusterSocketCreatorImpl;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.net.SSLParameterExtension;
class SCClusterSocketCreator extends ClusterSocketCreatorImpl {
diff --git a/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java b/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfig.java
similarity index 99%
rename from geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java
rename to geode-core/src/main/java/org/apache/geode/internal/net/SSLConfig.java
index 6ed5521..80718c5 100755
--- a/geode-core/src/main/java/org/apache/geode/internal/admin/SSLConfig.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfig.java
@@ -12,7 +12,7 @@
* or implied. See the License for the specific language governing permissions and limitations under
* the License.
*/
-package org.apache.geode.internal.admin;
+package org.apache.geode.internal.net;
import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_CIPHERS;
import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_ENABLED;
@@ -28,7 +28,6 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.geode.annotations.Immutable;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
-import org.apache.geode.internal.net.SSLUtil;
import org.apache.geode.internal.security.CallbackInstantiator;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.net.SSLParameterExtension;
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java b/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java
index 259d578..8a20dfc 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SSLConfigurationFactory.java
@@ -23,7 +23,6 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.geode.annotations.internal.MakeNotStatic;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.DistributionConfigImpl;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
public class SSLConfigurationFactory {
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SSLUtil.java b/geode-core/src/main/java/org/apache/geode/internal/net/SSLUtil.java
index 0d6598d..5093d86 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SSLUtil.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SSLUtil.java
@@ -30,42 +30,56 @@ import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang3.StringUtils;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.annotations.VisibleForTesting;
-/**
- *
- * @since GemFire 8.1
- */
public class SSLUtil {
- public static SSLContext getSSLContextInstance(SSLConfig sslConfig) {
+ /**
+ * This is a list of the algorithms that are tried, in order, when "any" is specified. Update
+ * this list as new algorithms become available and are supported by Geode. Remove old,
+ * no-longer trusted algorithms.
+ */
+ protected static final String[] DEFAULT_ALGORITMS = {
+ "TLSv1.3",
+ "TLSv1.2"}; // TLSv1.3 is not available in JDK 8 at this time
+
+
+
+ public static SSLContext getSSLContextInstance(SSLConfig sslConfig)
+ throws NoSuchAlgorithmException {
String[] protocols = sslConfig.getProtocolsAsStringArray();
- SSLContext sslContext = null;
- if (protocols != null && protocols.length > 0) {
- for (String protocol : protocols) {
- if (!protocol.equals("any")) {
- try {
- sslContext = SSLContext.getInstance(protocol);
- break;
- } catch (NoSuchAlgorithmException e) {
- // continue
- }
+ return findSSLContextForProtocols(protocols, DEFAULT_ALGORITMS);
+ }
+
+ /**
+ * Search for a context supporting one of the given prioritized list of
+ * protocols. The second argument is a list of protocols to try if the
+ * first list contains "any". The second argument should also be in prioritized
+ * order. If there are no matches for any of the protocols in the second
+ * argument we will continue in the first argument list.
+ * with a first argument of A, B, any, C
+ * and a second argument of D, E
+ * the search order would be A, B, D, E, C
+ */
+ @VisibleForTesting
+ protected static SSLContext findSSLContextForProtocols(final String[] protocols,
+ final String[] protocolsForAny)
+ throws NoSuchAlgorithmException {
+ for (String protocol : protocols) {
+ if (protocol.equalsIgnoreCase("any")) {
+ try {
+ return findSSLContextForProtocols(protocolsForAny, new String[0]);
+ } catch (NoSuchAlgorithmException e) {
+ // none of the default algorithms is available - continue to see if there
+ // are any others in the requested list
}
}
- }
- if (sslContext != null) {
- return sslContext;
- }
- // lookup known algorithms
- String[] knownAlgorithms = {"SSL", "SSLv2", "SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2"};
- for (String algo : knownAlgorithms) {
try {
- sslContext = SSLContext.getInstance(algo);
- break;
+ return SSLContext.getInstance(protocol);
} catch (NoSuchAlgorithmException e) {
// continue
}
}
- return sslContext;
+ throw new NoSuchAlgorithmException();
}
/** Read an array of values from a string, whitespace or comma separated. */
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
index 7981d3c..77e289c 100755
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java
@@ -78,7 +78,6 @@ import org.apache.geode.distributed.internal.tcpserver.AdvancedSocketCreatorImpl
import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
import org.apache.geode.distributed.internal.tcpserver.TcpSocketCreatorImpl;
import org.apache.geode.internal.ClassPathLoader;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.wan.TransportFilterServerSocket;
import org.apache.geode.internal.cache.wan.TransportFilterSocketFactory;
import org.apache.geode.internal.inet.LocalHostUtil;
@@ -196,6 +195,12 @@ public class SocketCreator extends TcpSocketCreatorImpl {
initialize();
}
+ @VisibleForTesting
+ SocketCreator(final SSLConfig sslConfig, SSLContext sslContext) {
+ this.sslConfig = sslConfig;
+ this.sslContext = sslContext;
+ }
+
/** returns the hostname or address for this client */
public static String getClientHostName() throws UnknownHostException {
InetAddress hostAddr = LocalHostUtil.getLocalHost();
@@ -544,16 +549,48 @@ public class SocketCreator extends TcpSocketCreatorImpl {
/**
* Returns an SSLEngine that can be used to perform TLS handshakes and communication
*/
- public SSLEngine createSSLEngine(String hostName, int port) {
+ public SSLEngine createSSLEngine(String hostName, int port, boolean clientSocket) {
SSLEngine engine = getSslContext().createSSLEngine(hostName, port);
+ configureSSLEngine(engine, hostName, port, clientSocket);
+ return engine;
+ }
+
+ @VisibleForTesting
+ void configureSSLEngine(SSLEngine engine, String hostName, int port, boolean clientSocket) {
+ SSLParameters parameters = engine.getSSLParameters();
+ boolean updateEngineWithParameters = false;
if (sslConfig.doEndpointIdentification()) {
// set server-names so that endpoint identification algorithms can find what's expected
- SSLParameters parameters = engine.getSSLParameters();
if (setServerNames(parameters, new HostAndPort(hostName, port))) {
- engine.setSSLParameters(parameters);
+ updateEngineWithParameters = true;
}
}
- return engine;
+
+ engine.setUseClientMode(clientSocket);
+ if (!clientSocket) {
+ engine.setNeedClientAuth(sslConfig.isRequireAuth());
+ }
+
+ if (clientSocket) {
+ if (checkAndEnableHostnameValidation(parameters)) {
+ updateEngineWithParameters = true;
+ }
+ }
+
+ String[] protocols = this.sslConfig.getProtocolsAsStringArray();
+
+ if (protocols != null && !"any".equalsIgnoreCase(protocols[0])) {
+ engine.setEnabledProtocols(protocols);
+ }
+
+ String[] ciphers = this.sslConfig.getCiphersAsStringArray();
+ if (ciphers != null && !"any".equalsIgnoreCase(ciphers[0])) {
+ engine.setEnabledCipherSuites(ciphers);
+ }
+
+ if (updateEngineWithParameters) {
+ engine.setSSLParameters(parameters);
+ }
}
/**
@@ -575,15 +612,6 @@ public class SocketCreator extends TcpSocketCreatorImpl {
ByteBuffer peerNetBuffer,
BufferPool bufferPool)
throws IOException {
- engine.setUseClientMode(clientSocket);
- if (!clientSocket) {
- engine.setNeedClientAuth(sslConfig.isRequireAuth());
- }
-
- if (clientSocket) {
- SSLParameters modifiedParams = checkAndEnableHostnameValidation(engine.getSSLParameters());
- engine.setSSLParameters(modifiedParams);
- }
while (!socketChannel.finishConnect()) {
try {
Thread.sleep(50);
@@ -627,18 +655,21 @@ public class SocketCreator extends TcpSocketCreatorImpl {
return nioSslEngine;
}
- private SSLParameters checkAndEnableHostnameValidation(SSLParameters sslParameters) {
+ /**
+ * @return true if the parameters have been modified by this method
+ */
+ private boolean checkAndEnableHostnameValidation(SSLParameters sslParameters) {
if (sslConfig.doEndpointIdentification()) {
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
- } else {
- if (!hostnameValidationDisabledLogShown) {
- logger.info("Your SSL configuration disables hostname validation. "
- + "ssl-endpoint-identification-enabled should be set to true when SSL is enabled. "
- + "Please refer to the Apache GEODE SSL Documentation for SSL Property: ssl‑endpoint‑identification‑enabled");
- hostnameValidationDisabledLogShown = true;
- }
+ return true;
+ }
+ if (!hostnameValidationDisabledLogShown) {
+ logger.info("Your SSL configuration disables hostname validation. "
+ + "ssl-endpoint-identification-enabled should be set to true when SSL is enabled. "
+ + "Please refer to the Apache GEODE SSL Documentation for SSL Property: ssl‑endpoint‑identification‑enabled");
+ hostnameValidationDisabledLogShown = true;
}
- return sslParameters;
+ return false;
}
/**
@@ -728,17 +759,24 @@ public class SocketCreator extends TcpSocketCreatorImpl {
sslSocket.setUseClientMode(true);
sslSocket.setEnableSessionCreation(true);
- SSLParameters modifiedParams =
- checkAndEnableHostnameValidation(sslSocket.getSSLParameters());
+ SSLParameters parameters = sslSocket.getSSLParameters();
+ boolean updateSSLParameters =
+ checkAndEnableHostnameValidation(parameters);
- setServerNames(modifiedParams, addr);
+ if (setServerNames(parameters, addr)) {
+ updateSSLParameters = true;
+ } ;
SSLParameterExtension sslParameterExtension = this.sslConfig.getSSLParameterExtension();
if (sslParameterExtension != null) {
- modifiedParams =
- sslParameterExtension.modifySSLClientSocketParameters(modifiedParams);
+ parameters =
+ sslParameterExtension.modifySSLClientSocketParameters(parameters);
+ updateSSLParameters = true;
+ }
+
+ if (updateSSLParameters) {
+ sslSocket.setSSLParameters(parameters);
}
- sslSocket.setSSLParameters(modifiedParams);
String[] protocols = this.sslConfig.getProtocolsAsStringArray();
diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreatorFactory.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreatorFactory.java
index 088bf94..b3f3d36 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreatorFactory.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreatorFactory.java
@@ -23,7 +23,6 @@ import org.apache.commons.lang3.ArrayUtils;
import org.apache.geode.GemFireConfigException;
import org.apache.geode.annotations.internal.MakeNotStatic;
import org.apache.geode.distributed.internal.DistributionConfig;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
public class SocketCreatorFactory {
diff --git a/geode-core/src/main/java/org/apache/geode/internal/tcp/Connection.java b/geode-core/src/main/java/org/apache/geode/internal/tcp/Connection.java
index 48bd1b5..b93cbce 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/tcp/Connection.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/tcp/Connection.java
@@ -1709,7 +1709,7 @@ public class Connection implements Runnable {
InetSocketAddress address = (InetSocketAddress) channel.getRemoteAddress();
SSLEngine engine =
getConduit().getSocketCreator().createSSLEngine(address.getHostString(),
- address.getPort());
+ address.getPort(), clientSocket);
int packetBufferSize = engine.getSession().getPacketBufferSize();
if (inputBuffer == null || inputBuffer.capacity() < packetBufferSize) {
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/ContextAwareSSLRMIClientSocketFactory.java b/geode-core/src/main/java/org/apache/geode/management/internal/ContextAwareSSLRMIClientSocketFactory.java
index 55eeb6a..135f721 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/ContextAwareSSLRMIClientSocketFactory.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/ContextAwareSSLRMIClientSocketFactory.java
@@ -28,7 +28,7 @@ import javax.rmi.ssl.SslRMIClientSocketFactory;
import org.apache.geode.annotations.Immutable;
import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SocketCreator;
import org.apache.geode.internal.net.SocketCreatorFactory;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerAdvisee.java b/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerAdvisee.java
index 9eb8ea3..d2b982a 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerAdvisee.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerAdvisee.java
@@ -23,9 +23,9 @@ import org.apache.geode.distributed.internal.DistributionAdvisor.Profile;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.DistributionManager;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.InternalCacheForClientAccess;
import org.apache.geode.internal.inet.LocalHostUtil;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.management.ManagementService;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerLocatorRequest.java b/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerLocatorRequest.java
index 5075af7..5d4d773 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerLocatorRequest.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/JmxManagerLocatorRequest.java
@@ -24,7 +24,7 @@ import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
import org.apache.geode.distributed.internal.tcpserver.TcpClient;
import org.apache.geode.distributed.internal.tcpserver.TcpSocketFactory;
import org.apache.geode.internal.InternalDataSerializer;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SocketCreator;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java b/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
index fc7ad22..6d721ab 100755
--- a/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
@@ -55,9 +55,9 @@ import org.apache.geode.GemFireConfigException;
import org.apache.geode.cache.internal.HttpService;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.internal.GemFireVersion;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.InternalCache;
import org.apache.geode.internal.inet.LocalHostUtil;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SocketCreator;
import org.apache.geode.internal.net.SocketCreatorFactory;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/api/GeodeConnectionConfig.java b/geode-core/src/main/java/org/apache/geode/management/internal/api/GeodeConnectionConfig.java
index 53c7318..5bc770c 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/api/GeodeConnectionConfig.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/api/GeodeConnectionConfig.java
@@ -38,8 +38,8 @@ import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
import org.apache.geode.distributed.internal.tcpserver.TcpClient;
import org.apache.geode.distributed.internal.tcpserver.TcpSocketFactory;
import org.apache.geode.internal.InternalDataSerializer;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.GemFireCacheImpl;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SSLUtil;
import org.apache.geode.internal.net.SocketCreatorFactory;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/handlers/ClusterManagementServiceInfoRequestHandler.java b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/handlers/ClusterManagementServiceInfoRequestHandler.java
index 42590b3..cf77567 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/configuration/handlers/ClusterManagementServiceInfoRequestHandler.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/configuration/handlers/ClusterManagementServiceInfoRequestHandler.java
@@ -23,7 +23,7 @@ import org.apache.geode.distributed.internal.DistributionConfigImpl;
import org.apache.geode.distributed.internal.InternalLocator;
import org.apache.geode.distributed.internal.tcpserver.TcpHandler;
import org.apache.geode.distributed.internal.tcpserver.TcpServer;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.management.internal.configuration.messages.ClusterManagementServiceInfo;
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/functions/GetMemberInformationFunction.java b/geode-core/src/main/java/org/apache/geode/management/internal/functions/GetMemberInformationFunction.java
index 62ee93e..31f0a2a 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/functions/GetMemberInformationFunction.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/functions/GetMemberInformationFunction.java
@@ -35,12 +35,12 @@ import org.apache.geode.distributed.ServerLauncher;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
import org.apache.geode.distributed.internal.InternalLocator;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.CacheClientStatus;
import org.apache.geode.internal.cache.InternalCache;
import org.apache.geode.internal.cache.execute.InternalFunction;
import org.apache.geode.internal.cache.tier.InternalClientMembership;
import org.apache.geode.internal.cache.tier.sockets.ClientProxyMembershipID;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.management.internal.util.ManagementUtils;
diff --git a/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java b/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java
index 4c96548..848b962 100644
--- a/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/internal/net/SSLConfigurationFactoryJUnitTest.java
@@ -48,7 +48,6 @@ import org.junit.experimental.categories.Category;
import org.apache.geode.GemFireConfigException;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.DistributionConfigImpl;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.test.junit.categories.MembershipTest;
diff --git a/geode-core/src/test/java/org/apache/geode/internal/net/SSLUtilTest.java b/geode-core/src/test/java/org/apache/geode/internal/net/SSLUtilTest.java
new file mode 100644
index 0000000..524c4fb
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/internal/net/SSLUtilTest.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.geode.internal.net;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.SSLContext;
+
+import org.junit.Test;
+
+public class SSLUtilTest {
+
+ @Test(expected = NoSuchAlgorithmException.class)
+ public void failWhenNothingIsRequested() throws Exception {
+ SSLConfig sslConfig = mock(SSLConfig.class);
+ when(sslConfig.getProtocolsAsStringArray())
+ .thenReturn(new String[0]);
+ SSLUtil.getSSLContextInstance(sslConfig);
+ }
+
+ @Test(expected = NoSuchAlgorithmException.class)
+ public void failWithAnUnknownProtocol() throws Exception {
+ SSLConfig sslConfig = mock(SSLConfig.class);
+ when(sslConfig.getProtocolsAsStringArray())
+ .thenReturn(new String[] {"boulevard of broken dreams"});
+ SSLUtil.getSSLContextInstance(sslConfig);
+ }
+
+ @Test
+ public void getASpecificProtocol() throws Exception {
+ SSLConfig sslConfig = mock(SSLConfig.class);
+ when(sslConfig.getProtocolsAsStringArray()).thenReturn(new String[] {"TLSv1.2"});
+ final SSLContext sslContextInstance = SSLUtil.getSSLContextInstance(sslConfig);
+ assertThat(sslContextInstance.getProtocol().equalsIgnoreCase("TLSv1.2")).isTrue();
+ }
+
+ @Test
+ public void getAnyProtocolWithAnUnknownInTheList() throws Exception {
+ SSLConfig sslConfig = mock(SSLConfig.class);
+ when(sslConfig.getProtocolsAsStringArray())
+ .thenReturn(new String[] {"the dream of the blue turtles", "any", "SSL"});
+ final SSLContext sslContextInstance = SSLUtil.getSSLContextInstance(sslConfig);
+ // make sure that we don't continue past "any" and use the following protocol (SSL)
+ assertThat(sslContextInstance.getProtocol().equalsIgnoreCase("SSL")).isFalse();
+ String selectedProtocol = sslContextInstance.getProtocol();
+ String matchedProtocol = null;
+ for (String algorithm : SSLUtil.DEFAULT_ALGORITMS) {
+ if (algorithm.equalsIgnoreCase(selectedProtocol)) {
+ matchedProtocol = algorithm;
+ }
+ }
+ assertThat(matchedProtocol).isNotNull().withFailMessage("selected protocol ("
+ + selectedProtocol +
+ ") is not in the list of default algorithms, "
+ + "indicating that the \"any\" setting did not work correctly");
+ }
+
+ @Test
+ public void getARealProtocolAfterProcessingAny() throws Exception {
+ final String[] algorithms = {"dream weaver", "any", "TLSv1.1"};
+ final String[] algorithmsForAny = new String[] {"sweet dreams (are made of this)"};
+ final SSLContext sslContextInstance = SSLUtil.findSSLContextForProtocols(algorithms,
+ algorithmsForAny);
+ assertThat(sslContextInstance.getProtocol().equalsIgnoreCase("TLSv1.1")).isTrue();
+ }
+
+}
diff --git a/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java b/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java
index 9b8b99a..b15c618 100644
--- a/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/internal/net/SocketCreatorJUnitTest.java
@@ -15,22 +15,28 @@
package org.apache.geode.internal.net;
import static org.apache.geode.test.util.ResourceUtils.createTempFileFromResource;
+import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.ArgumentMatchers.isA;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
import java.net.BindException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import org.junit.Test;
import org.junit.experimental.categories.Category;
+import org.mockito.ArgumentCaptor;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.test.junit.categories.MembershipTest;
@Category({MembershipTest.class})
@@ -98,6 +104,53 @@ public class SocketCreatorJUnitTest {
}
}
+ @Test
+ public void configureSSLEngine() {
+ SSLConfig config = new SSLConfig.Builder().setCiphers("someCipher").setEnabled(true)
+ .setProtocols("someProtocol").setRequireAuth(true).setKeystore("someKeystore.jks")
+ .setAlias("someAlias").setTruststore("someTruststore.jks")
+ .setEndpointIdentificationEnabled(true).build();
+ SSLContext context = mock(SSLContext.class);
+ SSLParameters parameters = mock(SSLParameters.class);
+
+ SocketCreator socketCreator = new SocketCreator(config, context);
+
+ SSLEngine engine = mock(SSLEngine.class);
+ when(engine.getSSLParameters()).thenReturn(parameters);
+
+ socketCreator.configureSSLEngine(engine, "somehost", 12345, true);
+
+ verify(engine).setUseClientMode(isA(Boolean.class));
+ verify(engine).setSSLParameters(parameters);
+ verify(engine, never()).setNeedClientAuth(isA(Boolean.class));
+
+ ArgumentCaptor<String[]> stringArrayCaptor = ArgumentCaptor.forClass(String[].class);
+ verify(engine).setEnabledProtocols(stringArrayCaptor.capture());
+ assertThat(stringArrayCaptor.getValue()).containsExactly("someProtocol");
+ verify(engine).setEnabledCipherSuites(stringArrayCaptor.capture());
+ assertThat(stringArrayCaptor.getValue()).containsExactly("someCipher");
+ }
+
+ @Test
+ public void configureSSLEngineUsingAny() {
+ SSLConfig config = new SSLConfig.Builder().setCiphers("any").setEnabled(true)
+ .setProtocols("any").setRequireAuth(true).setKeystore("someKeystore.jks")
+ .setAlias("someAlias").setTruststore("someTruststore.jks")
+ .setEndpointIdentificationEnabled(true).build();
+ SSLContext context = mock(SSLContext.class);
+ SSLParameters parameters = mock(SSLParameters.class);
+
+ SocketCreator socketCreator = new SocketCreator(config, context);
+
+ SSLEngine engine = mock(SSLEngine.class);
+ when(engine.getSSLParameters()).thenReturn(parameters);
+
+ socketCreator.configureSSLEngine(engine, "somehost", 12345, true);
+
+ verify(engine, never()).setEnabledCipherSuites(isA(String[].class));
+ verify(engine, never()).setEnabledProtocols(isA(String[].class));
+ }
+
private String getSingleKeyKeystore() {
return createTempFileFromResource(getClass(), "/ssl/trusted.keystore").getAbsolutePath();
}
diff --git a/geode-core/src/test/java/org/apache/geode/internal/tcp/TCPConduitTest.java b/geode-core/src/test/java/org/apache/geode/internal/tcp/TCPConduitTest.java
index edd081d..0c30ce2 100644
--- a/geode-core/src/test/java/org/apache/geode/internal/tcp/TCPConduitTest.java
+++ b/geode-core/src/test/java/org/apache/geode/internal/tcp/TCPConduitTest.java
@@ -45,8 +45,8 @@ import org.apache.geode.distributed.internal.DistributionManager;
import org.apache.geode.distributed.internal.direct.DirectChannel;
import org.apache.geode.distributed.internal.membership.InternalDistributedMember;
import org.apache.geode.distributed.internal.membership.api.Membership;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.inet.LocalHostUtil;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SocketCreator;
public class TCPConduitTest {
diff --git a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
index 48b601c..4816fbf 100644
--- a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
+++ b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java
@@ -35,7 +35,7 @@ import org.springframework.shell.core.annotation.CliCommand;
import org.springframework.shell.core.annotation.CliOption;
import org.apache.geode.annotations.Immutable;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SSLUtil;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
diff --git a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/shell/JmxOperationInvoker.java b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/shell/JmxOperationInvoker.java
index 67aed7a..2433387 100644
--- a/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/shell/JmxOperationInvoker.java
+++ b/geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/shell/JmxOperationInvoker.java
@@ -51,7 +51,7 @@ import com.healthmarketscience.rmiio.RemoteOutputStreamClient;
import org.apache.commons.io.IOUtils;
import org.apache.logging.log4j.Logger;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.logging.internal.log4j.api.LogService;
diff --git a/geode-http-service/src/main/java/org/apache/geode/internal/cache/InternalHttpService.java b/geode-http-service/src/main/java/org/apache/geode/internal/cache/InternalHttpService.java
index d37d645..7cb27a2 100644
--- a/geode-http-service/src/main/java/org/apache/geode/internal/cache/InternalHttpService.java
+++ b/geode-http-service/src/main/java/org/apache/geode/internal/cache/InternalHttpService.java
@@ -41,7 +41,7 @@ import org.apache.geode.cache.Cache;
import org.apache.geode.cache.internal.HttpService;
import org.apache.geode.distributed.internal.DistributionConfig;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.net.SSLUtil;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
diff --git a/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheConnectionIntegrationTest.java b/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheConnectionIntegrationTest.java
index 5917829..75ece12 100644
--- a/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheConnectionIntegrationTest.java
+++ b/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheConnectionIntegrationTest.java
@@ -62,9 +62,9 @@ import org.apache.geode.distributed.ConfigurationProperties;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
import org.apache.geode.internal.AvailablePortHelper;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.InternalCacheServer;
import org.apache.geode.internal.cache.tier.Acceptor;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SocketCreator;
import org.apache.geode.internal.net.SocketCreatorFactory;
import org.apache.geode.internal.protocol.protobuf.statistics.ProtobufClientStatistics;
diff --git a/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheOperationsJUnitTest.java b/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheOperationsJUnitTest.java
index f4d2e70..0a12f05 100644
--- a/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheOperationsJUnitTest.java
+++ b/geode-protobuf/src/integrationTest/java/org/apache/geode/internal/protocol/protobuf/v1/acceptance/CacheOperationsJUnitTest.java
@@ -55,7 +55,7 @@ import org.apache.geode.cache.server.CacheServer;
import org.apache.geode.distributed.ConfigurationProperties;
import org.apache.geode.distributed.internal.tcpserver.HostAndPort;
import org.apache.geode.internal.AvailablePortHelper;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SocketCreator;
import org.apache.geode.internal.net.SocketCreatorFactory;
import org.apache.geode.internal.protocol.protobuf.v1.BasicTypes;
diff --git a/geode-pulse/geode-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/rules/ServerRule.java b/geode-pulse/geode-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/rules/ServerRule.java
index 0e70235..db3b181 100644
--- a/geode-pulse/geode-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/rules/ServerRule.java
+++ b/geode-pulse/geode-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/rules/ServerRule.java
@@ -26,8 +26,8 @@ import java.util.Properties;
import org.junit.rules.ExternalResource;
import org.apache.geode.internal.AvailablePort;
-import org.apache.geode.internal.admin.SSLConfig;
import org.apache.geode.internal.cache.InternalHttpService;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.tools.pulse.internal.data.PulseConstants;
import org.apache.geode.tools.pulse.tests.Server;
diff --git a/geode-redis/src/integrationTest/java/org/apache/geode/redis/SSLTest.java b/geode-redis/src/integrationTest/java/org/apache/geode/redis/SSLTest.java
index 13fa4f0..4df2e6b 100644
--- a/geode-redis/src/integrationTest/java/org/apache/geode/redis/SSLTest.java
+++ b/geode-redis/src/integrationTest/java/org/apache/geode/redis/SSLTest.java
@@ -26,7 +26,7 @@ import org.junit.experimental.categories.Category;
import redis.clients.jedis.Jedis;
import org.apache.geode.distributed.internal.InternalDistributedSystem;
-import org.apache.geode.internal.admin.SSLConfig;
+import org.apache.geode.internal.net.SSLConfig;
import org.apache.geode.internal.net.SSLConfigurationFactory;
import org.apache.geode.internal.security.SecurableCommunicationChannel;
import org.apache.geode.test.junit.categories.RedisTest;