[14/16] tinkerpop git commit: TINKERPOP-2023 default to TLSv1.2, updated upgrade notes

[rd...@apache.org]

TINKERPOP-2023 default to TLSv1.2, updated upgrade notes


Project: http://git-wip-us.apache.org/repos/asf/tinkerpop/repo
Commit: http://git-wip-us.apache.org/repos/asf/tinkerpop/commit/ca83fbdf
Tree: http://git-wip-us.apache.org/repos/asf/tinkerpop/tree/ca83fbdf
Diff: http://git-wip-us.apache.org/repos/asf/tinkerpop/diff/ca83fbdf

Branch: refs/heads/TINKERPOP-2023
Commit: ca83fbdfdc885a9774ba1dbc17b3d9df75c49137
Parents: e3b4ae5
Author: Robert Dale <ro...@gmail.com>
Authored: Sun Aug 12 21:50:02 2018 -0400
Committer: Robert Dale <ro...@gmail.com>
Committed: Fri Aug 17 15:06:33 2018 -0400

----------------------------------------------------------------------
 CHANGELOG.asciidoc                              |  1 +
 .../upgrade/release-3.2.x-incubating.asciidoc   | 25 ++++++++++++++++++++
 gremlin-console/conf/remote-secure.yaml         |  2 +-
 .../conf/gremlin-server-rest-secure.yaml        |  1 +
 gremlin-server/conf/gremlin-server-secure.yaml  |  1 +
 5 files changed, 29 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/CHANGELOG.asciidoc
----------------------------------------------------------------------
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index eb1a6c5..9dec8df 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -23,6 +23,7 @@ image::https://raw.githubusercontent.com/apache/tinkerpop/master/docs/static/ima
 [[release-3-2-10]]
 === TinkerPop 3.2.10 (Release Date: NOT OFFICIALLY RELEASED YET)
 
+* SSL security enhancements
 * Fixed problem with Gremlin Server sometimes returning an additional message after a failure.
 * Allowed spaces in classpath for `gremlin-server.bat`.
 * Modified Maven archetype for Gremlin Server to use remote traversals rather than scripts.

http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/docs/src/upgrade/release-3.2.x-incubating.asciidoc
----------------------------------------------------------------------
diff --git a/docs/src/upgrade/release-3.2.x-incubating.asciidoc b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
index af03937..9b0a120 100644
--- a/docs/src/upgrade/release-3.2.x-incubating.asciidoc
+++ b/docs/src/upgrade/release-3.2.x-incubating.asciidoc
@@ -29,6 +29,31 @@ Please see the link:https://github.com/apache/tinkerpop/blob/3.2.10/CHANGELOG.as
 
 === Upgrading for Users
 
+==== SSL Security
+
+TinkerPop improves its security posture by removing insecure defaults and adding forward-looking standards support.
+
+Gremlin Server no longer supports automatically creating self-signed certificates.
+Self-signed certificates can still be created manually outside of Gremlin Server.
+If ssl is enabled, a key store must be configured.
+
+Cluster client no longer trusts all certs by default as this is an insecure configuration.
+Instead, if no trust store is configured, Cluster will use the default CA certs.
+To revert to the previous behavior and accept all certs, it must be explicitly configured.
+
+This release introduces JKS and PKCS12 support. JKS is the legacy Java Key Store. PKCS12 has better cross-platform support and is gaining in adoption.
+Be aware that JKS is the default on Java 8.  Java 9 and higher use PKCS12 as the default. Both Java keytool and OpenSSL tools can create, read, update PKCS12 files.
+
+Other new features include specifying SSL protocols and cipher suites.
+The packaged `*-secure.yaml` files now restrict the protocol to `TLSv1.2` by default.
+
+PEM-based configurations are deprecated and may be removed in a future release.
+
+See the section on configuring SSL.
+
+link:https://issues.apache.org/jira/browse/TINKERPOP-2022[TINKERPOP-2022]
+link:https://issues.apache.org/jira/browse/TINKERPOP-2023[TINKERPOP-2023]
+
 ==== Bulk Import and Export
 
 TinkerPop has provided some general methods for importing and exporting data, but more and more graph providers are

http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-console/conf/remote-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-console/conf/remote-secure.yaml b/gremlin-console/conf/remote-secure.yaml
index c7a2c44..b0a7309 100644
--- a/gremlin-console/conf/remote-secure.yaml
+++ b/gremlin-console/conf/remote-secure.yaml
@@ -30,5 +30,5 @@ username: stephen
 password: password
 connectionPool: {
   enableSsl: true,
-  sslSkipCertValidation: true }
+  sslEnabledProtocols: [TLSv1.2] }
 serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV1d0, config: { serializeResultToString: true }}

http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-server/conf/gremlin-server-rest-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-server/conf/gremlin-server-rest-secure.yaml b/gremlin-server/conf/gremlin-server-rest-secure.yaml
index fcfbba1..2f4db91 100644
--- a/gremlin-server/conf/gremlin-server-rest-secure.yaml
+++ b/gremlin-server/conf/gremlin-server-rest-secure.yaml
@@ -70,6 +70,7 @@ authentication: {
     credentialsDb: conf/tinkergraph-credentials.properties}}
 ssl: {
   enabled: true,
+  sslEnabledProtocols: [TLSv1.2],
   # You must configure a keyStore!
   #keyStore: server.jks,
   #keyStorePassword: changeit

http://git-wip-us.apache.org/repos/asf/tinkerpop/blob/ca83fbdf/gremlin-server/conf/gremlin-server-secure.yaml
----------------------------------------------------------------------
diff --git a/gremlin-server/conf/gremlin-server-secure.yaml b/gremlin-server/conf/gremlin-server-secure.yaml
index af46c59..637af12 100644
--- a/gremlin-server/conf/gremlin-server-secure.yaml
+++ b/gremlin-server/conf/gremlin-server-secure.yaml
@@ -74,6 +74,7 @@ authentication: {
     credentialsDb: conf/tinkergraph-credentials.properties}}
 ssl: {
   enabled: true,
+  sslEnabledProtocols: [TLSv1.2],
   # You must configure a keyStore!
   #keyStore: server.jks,
   #keyStorePassword: changeit