You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2015/07/15 22:59:23 UTC
knox git commit: KNOX-566 - Make the Default Ephemeral DH Key Size
2048 for TLS
Repository: knox
Updated Branches:
refs/heads/master d268487cc -> 06a61b602
KNOX-566 - Make the Default Ephemeral DH Key Size 2048 for TLS
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/06a61b60
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/06a61b60
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/06a61b60
Branch: refs/heads/master
Commit: 06a61b602363b4e86fd2e0fcbdc8284ddfd70230
Parents: d268487
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Jul 15 16:54:13 2015 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Jul 15 16:54:13 2015 -0400
----------------------------------------------------------------------
.../hadoop/gateway/config/impl/GatewayConfigImpl.java | 9 +++++++++
.../gateway/services/security/impl/JettySSLService.java | 6 ++++--
.../org/apache/hadoop/gateway/config/GatewayConfig.java | 2 ++
.../java/org/apache/hadoop/gateway/GatewayTestConfig.java | 8 ++++++++
4 files changed, 23 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
index 77fb792..e62f438 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java
@@ -111,6 +111,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
private static final String TRUSTSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.type";
private static final String KEYSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".keystore.type";
private static final String XFORWARDED_ENABLED = GATEWAY_CONFIG_FILE_PREFIX + ".xforwarded.enabled";
+ private static final String EPHEMERAL_DH_KEY_SIZE = GATEWAY_CONFIG_FILE_PREFIX + ".jdk.tls.ephemeralDHKeySize";
// These config property names are not inline with the convention of using the
// GATEWAY_CONFIG_FILE_PREFIX as is done by those above. These are left for
@@ -436,4 +437,12 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig {
String xForwardedEnabled = get( XFORWARDED_ENABLED, "true" );
return "true".equals(xForwardedEnabled);
}
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.config.GatewayConfig#getEphemeralDHKeySize()
+ */
+ @Override
+ public String getEphemeralDHKeySize() {
+ return get( EPHEMERAL_DH_KEY_SIZE, "2048");
+ }
}
http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index f2facee..58a699f 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -43,11 +43,11 @@ import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
public class JettySSLService implements SSLService {
- private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase";
+ private static final String EPHEMERAL_DH_KEY_SIZE_PROPERTY = "jdk.tls.ephemeralDHKeySize";
private static final String GATEWAY_TRUSTSTORE_PASSWORD = "gateway-truststore-password";
private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class );
-
+
private MasterService ms;
private KeystoreService ks;
private AliasService as;
@@ -74,6 +74,8 @@ public class JettySSLService implements SSLService {
@Override
public void init(GatewayConfig config, Map<String, String> options)
throws ServiceLifecycleException {
+ // set any JSSE or security related system properties
+ System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize());
try {
if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
log.creatingCredentialStoreForGateway();
http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
index 0494bb8..6363ce4 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java
@@ -104,4 +104,6 @@ public interface GatewayConfig {
String getTruststoreType();
boolean isXForwardedEnabled();
+
+ String getEphemeralDHKeySize();
}
http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
index 3940474..1da75b0 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java
@@ -250,4 +250,12 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig {
public void setXForwardedEnabled(boolean enabled) {
xForwardedEnabled = enabled;
}
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.config.GatewayConfig#getEphemeralDHKeySize()
+ */
+ @Override
+ public String getEphemeralDHKeySize() {
+ return "2048";
+ }
}