You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by cb...@apache.org on 2018/07/18 06:49:45 UTC
[incubator-openwhisk] branch master updated: Limit TLS protocols
used for kafka and controller. (#3881)
This is an automated email from the ASF dual-hosted git repository.
cbickel pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new 9afaf7b Limit TLS protocols used for kafka and controller. (#3881)
9afaf7b is described below
commit 9afaf7be1a9c5cf69ad567e416d46cce351ee01a
Author: Vadim Raskin <ra...@gmail.com>
AuthorDate: Wed Jul 18 08:49:41 2018 +0200
Limit TLS protocols used for kafka and controller. (#3881)
* Limit TLS protocols used for kafka and controller
* Move protocols property into group_vars
---
ansible/group_vars/all | 2 ++
ansible/roles/kafka/tasks/deploy.yml | 1 +
core/controller/src/main/resources/application.conf | 18 ++++++++++--------
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 729a683..19a7c9f 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -131,6 +131,8 @@ kafka:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ protocols:
+ - TLSv1.2
protocol: "{{ kafka_protocol_for_setup }}"
version: 0.11.0.1
port: 9072
diff --git a/ansible/roles/kafka/tasks/deploy.yml b/ansible/roles/kafka/tasks/deploy.yml
index 8f195fe..436fcc9 100644
--- a/ansible/roles/kafka/tasks/deploy.yml
+++ b/ansible/roles/kafka/tasks/deploy.yml
@@ -51,6 +51,7 @@
"KAFKA_SSL_TRUSTSTORE_PASSWORD": "{{ kafka.ssl.keystore.password }}"
"KAFKA_SSL_CLIENT_AUTH": "{{ kafka.ssl.client_authentication }}"
"KAFKA_SSL_CIPHER_SUITES": "{{ kafka.ssl.cipher_suites | join(',') }}"
+ "KAFKA_SSL_ENABLED_PROTOCOLS": "{{ kafka.ssl.protocols | join(',') }}"
# The sed script passed in CUSTOM_INIT_SCRIPT fixes a bug in the wurstmeister dcoker image
# by patching the server.configuration file right before kafka is started.
# The script adds the missing advertized hostname to the advertised.listener property
diff --git a/core/controller/src/main/resources/application.conf b/core/controller/src/main/resources/application.conf
index 77ce527..f0a7877 100644
--- a/core/controller/src/main/resources/application.conf
+++ b/core/controller/src/main/resources/application.conf
@@ -73,11 +73,16 @@ akka {
}
}
-ssl-config.enabledCipherSuites = [
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-]
+ssl-config {
+ enabledCipherSuites = [
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ ]
+ enabledProtocols = [
+ "TLSv1.2"
+ ]
+}
whisk{
# tracing configuration
@@ -85,6 +90,3 @@ whisk{
component = "Controller"
}
}
-
-
-