You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2015/07/15 22:59:23 UTC

knox git commit: KNOX-566 - Make the Default Ephemeral DH Key Size 2048 for TLS

Repository: knox
Updated Branches:
  refs/heads/master d268487cc -> 06a61b602


KNOX-566 - Make the Default Ephemeral DH Key Size 2048 for TLS

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/06a61b60
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/06a61b60
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/06a61b60

Branch: refs/heads/master
Commit: 06a61b602363b4e86fd2e0fcbdc8284ddfd70230
Parents: d268487
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Jul 15 16:54:13 2015 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Jul 15 16:54:13 2015 -0400

----------------------------------------------------------------------
 .../hadoop/gateway/config/impl/GatewayConfigImpl.java       | 9 +++++++++
 .../gateway/services/security/impl/JettySSLService.java     | 6 ++++--
 .../org/apache/hadoop/gateway/config/GatewayConfig.java     | 2 ++
 .../java/org/apache/hadoop/gateway/GatewayTestConfig.java   | 8 ++++++++
 4 files changed, 23 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index 77fb792..e62f438 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -111,6 +111,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
   private static final String TRUSTSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.type";
   private static final String KEYSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".keystore.type";
   private static final String XFORWARDED_ENABLED = GATEWAY_CONFIG_FILE_PREFIX + ".xforwarded.enabled";
+  private static final String EPHEMERAL_DH_KEY_SIZE = GATEWAY_CONFIG_FILE_PREFIX + ".jdk.tls.ephemeralDHKeySize";
 
   // These config property names are not inline with the convention of using the
   // GATEWAY_CONFIG_FILE_PREFIX as is done by those above. These are left for
@@ -436,4 +437,12 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
     String xForwardedEnabled = get( XFORWARDED_ENABLED, "true" );
     return "true".equals(xForwardedEnabled);
   }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getEphemeralDHKeySize()
+   */
+  @Override
+  public String getEphemeralDHKeySize() {
+    return get( EPHEMERAL_DH_KEY_SIZE, "2048");
+  }
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index f2facee..58a699f 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -43,11 +43,11 @@ import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 public class JettySSLService implements SSLService {
-  private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase";
+  private static final String EPHEMERAL_DH_KEY_SIZE_PROPERTY = "jdk.tls.ephemeralDHKeySize";
   private static final String GATEWAY_TRUSTSTORE_PASSWORD = "gateway-truststore-password";
   private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
   private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
-  
+
   private MasterService ms;
   private KeystoreService ks;
   private AliasService as;
@@ -74,6 +74,8 @@ public class JettySSLService implements SSLService {
   @Override
   public void init(GatewayConfig config, Map<String, String> options)
       throws ServiceLifecycleException {
+    // set any JSSE or security related system properties
+    System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
     try {
       if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
         log.creatingCredentialStoreForGateway();

http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index 0494bb8..6363ce4 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -104,4 +104,6 @@ public interface GatewayConfig {
   String getTruststoreType();
 
   boolean isXForwardedEnabled();
+
+  String getEphemeralDHKeySize();
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 3940474..1da75b0 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -250,4 +250,12 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig {
   public void setXForwardedEnabled(boolean enabled) {
     xForwardedEnabled = enabled;
   }
+
+  /* (non-Javadoc)
+   * @see org.apache.hadoop.gateway.config.GatewayConfig#getEphemeralDHKeySize()
+   */
+  @Override
+  public String getEphemeralDHKeySize() {
+    return "2048";
+  }
 }