You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/11/17 04:36:01 UTC

[GitHub] [pulsar] lhotari edited a comment on pull request #8581: [Issue 8580][pulsar-common] Set configured TLS protocols to SSLEngine instance

lhotari edited a comment on pull request #8581:
URL: https://github.com/apache/pulsar/pull/8581#issuecomment-728679620


   > What is the value returns before?
   
   @sijie 
   For Java 8u272, Arrays.asList(sslEngine.getSupportedProtocols()).toString() returns `[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]`.
   For Java 8u232, it's `[SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]`.
   
   [The `protocols` field in `KeyStoreSSLContext` was unused before](https://github.com/apache/pulsar/blob/5bbd44784a9e4bc58ee5025025d748b52b21825a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java#L79) and it's an old bug that the field was never used to configure the enabled TLS protocols for the SSLEngine.
   
   TLS `protocols` are properly passed in `NettyServerSslContextBuilder` class, so this has been a bug in the code that uses `KeyStoreSSLContext`.
   
   btw. The KeyStoreSSLContext class is also used for the web server. In those cases, [the protocols aren't configured and there's also a comment about it in the code](https://github.com/apache/pulsar/blob/5bbd44784a9e4bc58ee5025025d748b52b21825a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java#L247). 
   However there's a default value in `KeyStoreSSLContext` which will get used if null is passed to protocols. 
   It's defined at https://github.com/apache/pulsar/blob/5bbd44784a9e4bc58ee5025025d748b52b21825a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java#L52 .
   Previously this default value has been ignored since it was never set to the SSLEngine. With this PR, it will get set.
   
   
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org