You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by cb...@apache.org on 2018/07/18 06:49:45 UTC

[incubator-openwhisk] branch master updated: Limit TLS protocols used for kafka and controller. (#3881)

This is an automated email from the ASF dual-hosted git repository.

cbickel pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git


The following commit(s) were added to refs/heads/master by this push:
     new 9afaf7b  Limit TLS protocols used for kafka and controller. (#3881)
9afaf7b is described below

commit 9afaf7be1a9c5cf69ad567e416d46cce351ee01a
Author: Vadim Raskin <ra...@gmail.com>
AuthorDate: Wed Jul 18 08:49:41 2018 +0200

    Limit TLS protocols used for kafka and controller. (#3881)
    
    * Limit TLS protocols used for kafka and controller
    
    * Move protocols property into group_vars
---
 ansible/group_vars/all                              |  2 ++
 ansible/roles/kafka/tasks/deploy.yml                |  1 +
 core/controller/src/main/resources/application.conf | 18 ++++++++++--------
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 729a683..19a7c9f 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -131,6 +131,8 @@ kafka:
     - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    protocols:
+    - TLSv1.2
   protocol: "{{ kafka_protocol_for_setup }}"
   version: 0.11.0.1
   port: 9072
diff --git a/ansible/roles/kafka/tasks/deploy.yml b/ansible/roles/kafka/tasks/deploy.yml
index 8f195fe..436fcc9 100644
--- a/ansible/roles/kafka/tasks/deploy.yml
+++ b/ansible/roles/kafka/tasks/deploy.yml
@@ -51,6 +51,7 @@
       "KAFKA_SSL_TRUSTSTORE_PASSWORD": "{{ kafka.ssl.keystore.password }}"
       "KAFKA_SSL_CLIENT_AUTH": "{{ kafka.ssl.client_authentication }}"
       "KAFKA_SSL_CIPHER_SUITES": "{{ kafka.ssl.cipher_suites | join(',') }}"
+      "KAFKA_SSL_ENABLED_PROTOCOLS": "{{ kafka.ssl.protocols | join(',') }}"
     # The sed script passed in CUSTOM_INIT_SCRIPT fixes a bug in the wurstmeister dcoker image
     # by patching the server.configuration file right before kafka is started.
     # The script adds the missing advertized hostname to the advertised.listener property
diff --git a/core/controller/src/main/resources/application.conf b/core/controller/src/main/resources/application.conf
index 77ce527..f0a7877 100644
--- a/core/controller/src/main/resources/application.conf
+++ b/core/controller/src/main/resources/application.conf
@@ -73,11 +73,16 @@ akka {
   }
 }
 
-ssl-config.enabledCipherSuites = [
-  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-]
+ssl-config {
+  enabledCipherSuites = [
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+  ]
+  enabledProtocols = [
+    "TLSv1.2"
+  ]
+}
 
 whisk{
   # tracing configuration
@@ -85,6 +90,3 @@ whisk{
     component = "Controller"
   }
 }
-
-
-