You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by je...@apache.org on 2018/03/14 14:43:37 UTC
[geode] branch develop updated: GEODE-3891: Cannot enable ciphers
for REST interface (#1613)
This is an automated email from the ASF dual-hosted git repository.
jensdeppe pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git
The following commit(s) were added to refs/heads/develop by this push:
new 29eff01 GEODE-3891: Cannot enable ciphers for REST interface (#1613)
29eff01 is described below
commit 29eff01210451c72553180aaab02c1dfd3c1239f
Author: Jens Deppe <jd...@pivotal.io>
AuthorDate: Wed Mar 14 07:43:33 2018 -0700
GEODE-3891: Cannot enable ciphers for REST interface (#1613)
---
.../web/controllers/RestAPIsWithSSLDUnitTest.java | 19 ++++++++++++-------
.../apache/geode/management/internal/JettyHelper.java | 6 ++++--
.../org/apache/geode/management/internal/SSLUtil.java | 12 ++----------
3 files changed, 18 insertions(+), 19 deletions(-)
diff --git a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/controllers/RestAPIsWithSSLDUnitTest.java b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/controllers/RestAPIsWithSSLDUnitTest.java
index 1fd39ab..99048aa 100644
--- a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/controllers/RestAPIsWithSSLDUnitTest.java
+++ b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/controllers/RestAPIsWithSSLDUnitTest.java
@@ -14,6 +14,7 @@
*/
package org.apache.geode.rest.internal.web.controllers;
+import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_CIPHERS;
import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_ENABLED;
import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_KEYSTORE;
import static org.apache.geode.distributed.ConfigurationProperties.CLUSTER_SSL_KEYSTORE_PASSWORD;
@@ -82,7 +83,6 @@ import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.json.JSONObject;
-import org.junit.Ignore;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
@@ -347,6 +347,7 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_KEYSTORE_TYPE,
CLUSTER_SSL_KEYSTORE_TYPE);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_PROTOCOLS, CLUSTER_SSL_PROTOCOLS);
+ sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_CIPHERS, CLUSTER_SSL_CIPHERS);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_REQUIRE_AUTHENTICATION,
CLUSTER_SSL_REQUIRE_AUTHENTICATION);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_TRUSTSTORE,
@@ -359,6 +360,7 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_KEYSTORE_PASSWORD, null);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_KEYSTORE_TYPE, null);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_PROTOCOLS, null);
+ sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_CIPHERS, null);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_REQUIRE_AUTHENTICATION, null);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_TRUSTSTORE, null);
sslPropertyConverter(sslProperties, props, HTTP_SERVICE_SSL_TRUSTSTORE_PASSWORD, null);
@@ -369,6 +371,7 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
sslPropertyConverter(sslProperties, props, SSL_KEYSTORE_PASSWORD, null);
sslPropertyConverter(sslProperties, props, SSL_KEYSTORE_TYPE, null);
sslPropertyConverter(sslProperties, props, SSL_PROTOCOLS, null);
+ sslPropertyConverter(sslProperties, props, SSL_CIPHERS, null);
sslPropertyConverter(sslProperties, props, SSL_REQUIRE_AUTHENTICATION, null);
sslPropertyConverter(sslProperties, props, SSL_TRUSTSTORE, null);
sslPropertyConverter(sslProperties, props, SSL_TRUSTSTORE_PASSWORD, null);
@@ -623,7 +626,6 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
validateConnection(restEndpoint, "TLS", props);
}
- @Ignore("GEODE-3814, GEODE-3891")
@Test
public void testSSLWithTLSv11Protocol() throws Exception {
Properties props = new Properties();
@@ -633,7 +635,7 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
props.setProperty(SSL_TRUSTSTORE_PASSWORD, "password");
props.setProperty(SSL_KEYSTORE_TYPE, "JKS");
props.setProperty(SSL_PROTOCOLS, "TLSv1.1");
- // props.setProperty(SSL_CIPHERS, "TLS_RSA_WITH_AES_256_CBC_SHA");
+ props.setProperty(SSL_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
props.setProperty(SSL_ENABLED_COMPONENTS, SecurableCommunicationChannel.WEB.getConstant());
String restEndpoint = startInfraWithSSL(props, false);
@@ -672,7 +674,6 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
@Test
public void testSSLWithCipherSuite() throws Exception {
- System.setProperty("javax.net.debug", "ssl");
Properties props = new Properties();
props.setProperty(SSL_KEYSTORE, findTrustedJKSWithSingleEntry().getCanonicalPath());
props.setProperty(SSL_TRUSTSTORE, findTrustedJKSWithSingleEntry().getCanonicalPath());
@@ -687,7 +688,9 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
ssl.init(null, null, new java.security.SecureRandom());
String[] cipherSuites = ssl.getSocketFactory().getSupportedCipherSuites();
- props.setProperty(SSL_CIPHERS, cipherSuites[0]);
+ // This is the safest in terms of support across various JDK releases
+ String rsaCipher = Arrays.stream(cipherSuites).filter(c -> c.contains("RSA")).findFirst().get();
+ props.setProperty(SSL_CIPHERS, rsaCipher);
String restEndpoint = startInfraWithSSL(props, false);
validateConnection(restEndpoint, "TLSv1.2", props);
@@ -784,7 +787,6 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
validateConnection(restEndpoint, "TLS", props);
}
- @Ignore("GEODE-3814, GEODE-3891")
@Test
public void testSSLWithTLSv11ProtocolLegacy() throws Exception {
Properties props = new Properties();
@@ -793,6 +795,7 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
findTrustedJKSWithSingleEntry().getCanonicalPath());
props.setProperty(HTTP_SERVICE_SSL_KEYSTORE_PASSWORD, "password");
props.setProperty(HTTP_SERVICE_SSL_PROTOCOLS, "TLSv1.1");
+ props.setProperty(HTTP_SERVICE_SSL_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
String restEndpoint = startInfraWithSSL(props, false);
validateConnection(restEndpoint, "TLSv1.1", props);
@@ -839,7 +842,8 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
ssl.init(null, null, new java.security.SecureRandom());
String[] cipherSuites = ssl.getSocketFactory().getSupportedCipherSuites();
- props.setProperty(HTTP_SERVICE_SSL_CIPHERS, cipherSuites[0]);
+ String rsaCipher = Arrays.stream(cipherSuites).filter(c -> c.contains("RSA")).findFirst().get();
+ props.setProperty(HTTP_SERVICE_SSL_CIPHERS, rsaCipher);
String restEndpoint = startInfraWithSSL(props, false);
validateConnection(restEndpoint, "TLSv1.2", props);
@@ -847,6 +851,7 @@ public class RestAPIsWithSSLDUnitTest extends LocatorTestBase {
@Test
public void testSSLWithMultipleCipherSuiteLegacy() throws Exception {
+ System.setProperty("javax.net.debug", "ssl,handshake");
Properties props = new Properties();
props.setProperty(HTTP_SERVICE_SSL_ENABLED, "true");
props.setProperty(HTTP_SERVICE_SSL_KEYSTORE,
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/JettyHelper.java b/geode-core/src/main/java/org/apache/geode/management/internal/JettyHelper.java
index 92950c0..bbf6847 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/JettyHelper.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/JettyHelper.java
@@ -33,7 +33,6 @@ import org.eclipse.jetty.webapp.WebAppContext;
import org.apache.geode.GemFireConfigException;
import org.apache.geode.internal.admin.SSLConfig;
-import org.apache.geode.internal.cache.GemFireCacheImpl;
import org.apache.geode.internal.logging.LogService;
import org.apache.geode.internal.security.SecurityService;
@@ -83,7 +82,7 @@ public class JettyHelper {
if (StringUtils.isNotBlank(sslConfig.getCiphers())
&& !"any".equalsIgnoreCase(sslConfig.getCiphers())) {
- // If use has mentioned "any" let the SSL layer decide on the ciphers
+ sslContextFactory.setExcludeCipherSuites();
sslContextFactory.setIncludeCipherSuites(SSLUtil.readArray(sslConfig.getCiphers()));
}
@@ -118,6 +117,9 @@ public class JettyHelper {
sslContextFactory.setTrustStorePassword(sslConfig.getTruststorePassword());
}
+ if (logger.isDebugEnabled()) {
+ logger.debug(sslContextFactory.dump());
+ }
httpConfig.addCustomizer(new SecureRequestCustomizer());
// Somehow With HTTP_2.0 Jetty throwing NPE. Need to investigate further whether all GemFire
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/SSLUtil.java b/geode-core/src/main/java/org/apache/geode/management/internal/SSLUtil.java
index b35f9c7..ca90241 100644
--- a/geode-core/src/main/java/org/apache/geode/management/internal/SSLUtil.java
+++ b/geode-core/src/main/java/org/apache/geode/management/internal/SSLUtil.java
@@ -15,9 +15,6 @@
package org.apache.geode.management.internal;
import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.StringTokenizer;
import javax.net.ssl.SSLContext;
@@ -62,18 +59,13 @@ public class SSLUtil {
return c;
}
- /** Read an array of values from a string, whitespace separated. */
+ /** Read an array of values from a string, whitespace or comma separated. */
public static String[] readArray(String text) {
if (StringUtils.isBlank(text)) {
return null;
}
- StringTokenizer st = new StringTokenizer(text);
- List<String> v = new ArrayList<String>();
- while (st.hasMoreTokens()) {
- v.add(st.nextToken());
- }
- return v.toArray(new String[v.size()]);
+ return text.split("[\\s,]+");
}
}
--
To stop receiving notification emails like this one, please contact
jensdeppe@apache.org.