You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/04/23 06:36:15 UTC

[GitHub] [pulsar] lhotari opened a new pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm to support JDK 11 & TLS 1.3

lhotari opened a new pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336


   Fixes #9720 
   
   ### Motivation
   
   The current client.keystore.jks key is invalid for TLS 1.3:
   ![image](https://user-images.githubusercontent.com/66864/115827568-22337c00-a415-11eb-822f-15a0da01a48f.png)
   
   TLS 1.3 forbids the usage of DSA keys and SHA1 signature algorithm. The key must be a RSA key and the signature algorithm at least SHA256. TLS 1.3 is bundled in [JDK 8 since 8u261](https://github.com/AdoptOpenJDK/openjdk-build/issues/1254#issuecomment-678900470). 
   
   It is unclear why DSA/SHA1 isn't accepted in JDK11 since #8581 fixed a similar problem for JDK8 when TLS1.3 came available. 
   This change fixes the test. There's a separate issue for changing the default TLS protocols, #10335 .
   
   ### Modifications
   
   * add script for creating keystores for tests
   * update documentation to include `-keyalg RSA` when creating keys
   * update keystores used in tests


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336#issuecomment-826352086


   @merlimat Please review


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336#issuecomment-826950469


   @merlimat @aahmed-se Please review


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336#issuecomment-825455262


   Updated keystore 
   ![image](https://user-images.githubusercontent.com/66864/115835322-cec62b80-a41e-11eb-8af0-0e018b052073.png)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336#issuecomment-825775219


   There are also some invalid certificate files created as .pem files. Here's a list of the invalid ones which use SHA1:
   ```
   ❯ find -name "*.pem" |grep src |xargs -i{} bash -c "{ openssl x509 -text -in {} 2>/dev/null | grep -q 'Signature Algorithm: sha1'; } && echo {}"
   ./bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
   ./bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
   ./bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
   ./pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat merged pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

merlimat merged pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336#issuecomment-826352086


   @merlimat Please review


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari removed a comment on pull request #10336: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3

Posted by GitBox <gi...@apache.org>.

lhotari removed a comment on pull request #10336:
URL: https://github.com/apache/pulsar/pull/10336#issuecomment-826352086


   @merlimat Please review


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org