You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2021/05/17 04:07:48 UTC
[pulsar] branch master updated: [Broker/Proxy] Update default TLS
protocols to TLSv1.3, TLSv1.2 (#10598)
This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new b75acbe [Broker/Proxy] Update default TLS protocols to TLSv1.3,TLSv1.2 (#10598)
b75acbe is described below
commit b75acbe890586579c1d14f8d10d796d7aca2aafa
Author: Lari Hotari <lh...@users.noreply.github.com>
AuthorDate: Mon May 17 07:06:50 2021 +0300
[Broker/Proxy] Update default TLS protocols to TLSv1.3,TLSv1.2 (#10598)
Fixes #10335
### Motivation
See #10335. TLSv1.3 support has been introduced in the JDK since [JDK 8 since 8u261](https://github.com/AdoptOpenJDK/openjdk-build/issues/1254#issuecomment-678900470). TLS protocol TLSv1.1 and TLSv1 aren't considered secure.
### Modifications
- change default TLS protocols to TLSv1.3,TLSv1.2
- update tests, docs & config files to reflect the change
---
.../org/apache/pulsar/client/TlsProducerConsumerBase.java | 1 +
conf/broker.conf | 4 ++--
conf/proxy.conf | 2 +-
conf/standalone.conf | 12 ++++++------
deployment/terraform-ansible/templates/broker.conf | 4 ++--
deployment/terraform-ansible/templates/proxy.conf | 2 +-
.../java/org/apache/pulsar/broker/ServiceConfiguration.java | 4 ++--
.../apache/pulsar/client/api/TlsProducerConsumerBase.java | 1 +
.../pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java | 1 +
.../impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java | 1 +
.../impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java | 1 +
.../java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java | 4 +++-
.../org/apache/pulsar/client/admin/PulsarAdminBuilder.java | 2 +-
.../java/org/apache/pulsar/client/api/ClientBuilder.java | 2 +-
.../java/org/apache/pulsar/common/util/SecurityUtility.java | 1 -
.../pulsar/common/util/keystoretls/KeyStoreSSLContext.java | 2 +-
.../common/util/keystoretls/SSLContextValidatorEngine.java | 8 ++++++++
.../pulsar/discovery/service/server/ServiceConfig.java | 2 +-
.../org/apache/pulsar/proxy/server/ProxyConfiguration.java | 4 ++--
.../pulsar/proxy/server/ProxyWithAuthorizationTest.java | 3 +--
site2/docs/reference-configuration.md | 6 +++---
site2/docs/security-tls-keystore.md | 2 +-
site2/docs/security-tls-transport.md | 10 +++++-----
23 files changed, 46 insertions(+), 33 deletions(-)
diff --git a/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java b/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
index 3521671..756079f 100644
--- a/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
+++ b/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
@@ -69,6 +69,7 @@ public class TlsProducerConsumerBase extends ProducerConsumerBase {
conf.setClusterName(clusterName);
conf.setTlsRequireTrustedClientCertOnConnect(true);
Set<String> tlsProtocols = Sets.newConcurrentHashSet();
+ tlsProtocols.add("TLSv1.3");
tlsProtocols.add("TLSv1.2");
conf.setTlsProtocols(tlsProtocols);
conf.setNumExecutorThreadPoolSize(5);
diff --git a/conf/broker.conf b/conf/broker.conf
index fa0f89a..21008ec 100644
--- a/conf/broker.conf
+++ b/conf/broker.conf
@@ -537,7 +537,7 @@ tlsAllowInsecureConnection=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
+# Examples:- [TLSv1.3, TLSv1.2]
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
@@ -602,7 +602,7 @@ brokerClientTlsCiphers=
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# e.g. [TLSv1.2, TLSv1.1, TLSv1]
+# e.g. [TLSv1.3, TLSv1.2]
# used by the internal client to authenticate with Pulsar brokers
brokerClientTlsProtocols=
diff --git a/conf/proxy.conf b/conf/proxy.conf
index d8f9f4a..a119095 100644
--- a/conf/proxy.conf
+++ b/conf/proxy.conf
@@ -161,7 +161,7 @@ tlsHostnameVerificationEnabled=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
+# Examples:- [TLSv1.3, TLSv1.2]
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
diff --git a/conf/standalone.conf b/conf/standalone.conf
index 4cf49f5..3f6292c 100644
--- a/conf/standalone.conf
+++ b/conf/standalone.conf
@@ -316,7 +316,7 @@ tlsAllowInsecureConnection=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
+# Examples:- [TLSv1.3, TLSv1.2]
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
@@ -381,7 +381,7 @@ brokerClientTlsCiphers=
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# e.g. [TLSv1.2, TLSv1.1, TLSv1]
+# e.g. [TLSv1.3, TLSv1.2]
# used by the internal client to authenticate with Pulsar brokers
brokerClientTlsProtocols=
@@ -686,12 +686,12 @@ managedLedgerPrometheusStatsLatencyRolloverSeconds=60
# Whether trace managed ledger task execution time
managedLedgerTraceTaskExecution=true
-# If you want to custom bookie ID or use a dynamic network address for the bookie,
-# you can set this option.
-# Bookie advertises itself using bookieId rather than
+# If you want to custom bookie ID or use a dynamic network address for the bookie,
+# you can set this option.
+# Bookie advertises itself using bookieId rather than
# BookieSocketAddress (hostname:port or IP:port).
# bookieId is a non empty string that can contain ASCII digits and letters ([a-zA-Z9-0]),
-# colons, dashes, and dots.
+# colons, dashes, and dots.
# For more information about bookieId, see http://bookkeeper.apache.org/bps/BP-41-bookieid/.
# bookieId=
diff --git a/deployment/terraform-ansible/templates/broker.conf b/deployment/terraform-ansible/templates/broker.conf
index 790bb58..666c269 100644
--- a/deployment/terraform-ansible/templates/broker.conf
+++ b/deployment/terraform-ansible/templates/broker.conf
@@ -464,7 +464,7 @@ tlsAllowInsecureConnection=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
+# Examples:- [TLSv1.3, TLSv1.2]
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
@@ -529,7 +529,7 @@ brokerClientTlsCiphers=
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# e.g. [TLSv1.2, TLSv1.1, TLSv1]
+# e.g. [TLSv1.3, TLSv1.2]
# used by the internal client to authenticate with Pulsar brokers
brokerClientTlsProtocols=
diff --git a/deployment/terraform-ansible/templates/proxy.conf b/deployment/terraform-ansible/templates/proxy.conf
index 3d99440..7d04914 100644
--- a/deployment/terraform-ansible/templates/proxy.conf
+++ b/deployment/terraform-ansible/templates/proxy.conf
@@ -155,7 +155,7 @@ tlsHostnameVerificationEnabled=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
-# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
+# Examples:- [TLSv1.3, TLSv1.2]
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
index a09077f..844e137 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
@@ -1020,7 +1020,7 @@ public class ServiceConfiguration implements PulsarConfiguration {
@FieldContext(
category = CATEGORY_TLS,
doc = "Specify the tls protocols the broker will use to negotiate during TLS Handshake.\n\n"
- + "Example:- [TLSv1.2, TLSv1.1, TLSv1]"
+ + "Example:- [TLSv1.3, TLSv1.2]"
)
private Set<String> tlsProtocols = Sets.newTreeSet();
@FieldContext(
@@ -2149,7 +2149,7 @@ public class ServiceConfiguration implements PulsarConfiguration {
category = CATEGORY_KEYSTORE_TLS,
doc = "Specify the tls protocols the broker will use to negotiate during TLS handshake"
+ " (a comma-separated list of protocol names).\n\n"
- + "Examples:- [TLSv1.2, TLSv1.1, TLSv1] \n"
+ + "Examples:- [TLSv1.3, TLSv1.2] \n"
+ " used by the internal client to authenticate with Pulsar brokers"
)
private Set<String> brokerClientTlsProtocols = Sets.newTreeSet();
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
index e81ca0f..bd758c2 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
@@ -68,6 +68,7 @@ public class TlsProducerConsumerBase extends ProducerConsumerBase {
conf.setClusterName(clusterName);
conf.setTlsRequireTrustedClientCertOnConnect(true);
Set<String> tlsProtocols = Sets.newConcurrentHashSet();
+ tlsProtocols.add("TLSv1.3");
tlsProtocols.add("TLSv1.2");
conf.setTlsProtocols(tlsProtocols);
conf.setNumExecutorThreadPoolSize(5);
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java
index 42c4c03..5142bbd 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java
@@ -101,6 +101,7 @@ public class AdminApiKeyStoreTlsAuthTest extends ProducerConsumerBase {
conf.setClusterName(clusterName);
conf.setTlsRequireTrustedClientCertOnConnect(true);
+ tlsProtocols.add("TLSv1.3");
tlsProtocols.add("TLSv1.2");
conf.setTlsProtocols(tlsProtocols);
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java
index e0f7c9a..c79cb5d 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithAuthTest.java
@@ -119,6 +119,7 @@ public class KeyStoreTlsProducerConsumerTestWithAuthTest extends ProducerConsume
}
Set<String> tlsProtocols = Sets.newConcurrentHashSet();
+ tlsProtocols.add("TLSv1.3");
tlsProtocols.add("TLSv1.2");
ClientBuilder clientBuilder = PulsarClient.builder().serviceUrl(lookupUrl)
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java
index 38a9aa2..185df02 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsProducerConsumerTestWithoutAuthTest.java
@@ -98,6 +98,7 @@ public class KeyStoreTlsProducerConsumerTestWithoutAuthTest extends ProducerCons
conf.setClusterName(clusterName);
conf.setTlsRequireTrustedClientCertOnConnect(true);
+ tlsProtocols.add("TLSv1.3");
tlsProtocols.add("TLSv1.2");
conf.setTlsProtocols(tlsProtocols);
conf.setNumExecutorThreadPoolSize(5);
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java
index 3315349..8974962 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java
@@ -20,6 +20,7 @@ package org.apache.pulsar.client.impl;
import static org.apache.pulsar.common.util.SecurityUtility.getProvider;
import java.security.Provider;
+import java.util.Collections;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;
import org.apache.pulsar.common.util.keystoretls.SSLContextValidatorEngine;
import org.testng.annotations.Test;
@@ -71,7 +72,8 @@ public class KeyStoreTlsTest {
CLIENT_TRUSTSTORE_PW,
false,
null,
- null);
+ // set client's protocol to TLSv1.2 since SSLContextValidatorEngine.validate doesn't handle TLSv1.3
+ Collections.singleton("TLSv1.2"));
clientSSLContext.createSSLContext();
SSLContextValidatorEngine.validate(clientSSLContext::createSSLEngine, serverSSLContext::createSSLEngine);
diff --git a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
index fda3694..9f8b4be 100644
--- a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
+++ b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
@@ -221,7 +221,7 @@ public interface PulsarAdminBuilder {
/**
* The SSL protocol used to generate the SSLContext.
* Default setting is TLS, which is fine for most cases.
- * Allowed values in recent JVMs are TLS, TLSv1.1 and TLSv1.2. SSL, SSLv2.
+ * Allowed values in recent JVMs are TLS, TLSv1.3, TLSv1.2 and TLSv1.1.
*
* @param tlsProtocols
*/
diff --git a/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java b/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java
index 6f50678..7645ab9 100644
--- a/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java
+++ b/pulsar-client-api/src/main/java/org/apache/pulsar/client/api/ClientBuilder.java
@@ -358,7 +358,7 @@ public interface ClientBuilder extends Cloneable {
/**
* The SSL protocol used to generate the SSLContext.
* Default setting is TLS, which is fine for most cases.
- * Allowed values in recent JVMs are TLS, TLSv1.1 and TLSv1.2. SSL, SSLv2.
+ * Allowed values in recent JVMs are TLS, TLSv1.3, TLSv1.2 and TLSv1.1.
*
* @param tlsProtocols
* @return the client builder instance
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 8a2f965..52a5793 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -82,7 +82,6 @@ public class SecurityUtility {
// also used to get Factories. e.g. CertificateFactory.getInstance("X.509", "BCFIPS")
public static final String BC_FIPS = "BCFIPS";
public static final String BC = "BC";
- private static final String SSLCONTEXT_ALGORITHM = "TLSv1.2";
public static boolean isBCFIPS() {
return BC_PROVIDER.getClass().getCanonicalName().equals(BC_FIPS_PROVIDER_CLASS);
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
index a679d9e..d35fbc3 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
@@ -49,7 +49,7 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
public class KeyStoreSSLContext {
public static final String DEFAULT_KEYSTORE_TYPE = "JKS";
public static final String DEFAULT_SSL_PROTOCOL = "TLS";
- public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1.2,TLSv1.1,TLSv1";
+ public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1.3,TLSv1.2";
public static final String DEFAULT_SSL_KEYMANGER_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
public static final String DEFAULT_SSL_TRUSTMANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/SSLContextValidatorEngine.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/SSLContextValidatorEngine.java
index 7c2f518..d42ba21 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/SSLContextValidatorEngine.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/SSLContextValidatorEngine.java
@@ -20,6 +20,7 @@ package org.apache.pulsar.common.util.keystoretls;
import static javax.net.ssl.SSLEngineResult.HandshakeStatus.FINISHED;
import java.nio.ByteBuffer;
+import java.util.Arrays;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
@@ -42,9 +43,16 @@ public class SSLContextValidatorEngine {
private ByteBuffer netBuffer;
private boolean finished = false;
+ /**
+ * Validates TLS handshake up to TLSv1.2.
+ * TLSv1.3 has a differences in TLS handshake as described in https://stackoverflow.com/a/62465859
+ */
public static void validate(SSLEngineProvider clientSslEngineSupplier, SSLEngineProvider serverSslEngineSupplier)
throws SSLException {
SSLContextValidatorEngine clientEngine = new SSLContextValidatorEngine(clientSslEngineSupplier);
+ if (Arrays.stream(clientEngine.sslEngine.getEnabledProtocols()).anyMatch(s -> s.equals("TLSv1.3"))) {
+ throw new IllegalStateException("This validator doesn't support TLSv1.3");
+ }
SSLContextValidatorEngine serverEngine = new SSLContextValidatorEngine(serverSslEngineSupplier);
try {
clientEngine.beginHandshake();
diff --git a/pulsar-discovery-service/src/main/java/org/apache/pulsar/discovery/service/server/ServiceConfig.java b/pulsar-discovery-service/src/main/java/org/apache/pulsar/discovery/service/server/ServiceConfig.java
index 57e18fa..824443d 100644
--- a/pulsar-discovery-service/src/main/java/org/apache/pulsar/discovery/service/server/ServiceConfig.java
+++ b/pulsar-discovery-service/src/main/java/org/apache/pulsar/discovery/service/server/ServiceConfig.java
@@ -94,7 +94,7 @@ public class ServiceConfig implements PulsarConfiguration {
// Accept untrusted TLS certificate from client
private boolean tlsAllowInsecureConnection = false;
// Specify the tls protocols the broker will use to negotiate during TLS Handshake.
- // Example:- [TLSv1.2, TLSv1.1, TLSv1]
+ // Example:- [TLSv1.3, TLSv1.2]
private Set<String> tlsProtocols = Sets.newTreeSet();
// Specify the tls cipher the broker will use to negotiate during TLS Handshake.
// Example:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
index 983cb78..1722632 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java
@@ -344,7 +344,7 @@ public class ProxyConfiguration implements PulsarConfiguration {
category = CATEGORY_TLS,
doc = "Specify the tls protocols the broker will use to negotiate during TLS handshake"
+ " (a comma-separated list of protocol names).\n\n"
- + "Examples:- [TLSv1.2, TLSv1.1, TLSv1]"
+ + "Examples:- [TLSv1.3, TLSv1.2]"
)
private Set<String> tlsProtocols = Sets.newTreeSet();
@FieldContext(
@@ -454,7 +454,7 @@ public class ProxyConfiguration implements PulsarConfiguration {
category = CATEGORY_KEYSTORE_TLS,
doc = "Specify the tls protocols the broker will use to negotiate during TLS handshake"
+ " (a comma-separated list of protocol names).\n\n"
- + "Examples:- [TLSv1.2, TLSv1.1, TLSv1] \n"
+ + "Examples:- [TLSv1.3, TLSv1.2] \n"
+ " used by the Pulsar proxy to authenticate with Pulsar brokers"
)
private Set<String> brokerClientTlsProtocols = Sets.newTreeSet();
diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
index d3c1fe5..2ce8930 100644
--- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
+++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
@@ -93,9 +93,8 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
// Test explicitly specifying protocols defaults
Set<String> ciphers_2 = Sets.newTreeSet();
Set<String> protocols_2 = Sets.newTreeSet();
+ protocols_2.add("TLSv1.3");
protocols_2.add("TLSv1.2");
- protocols_2.add("TLSv1.1");
- protocols_2.add("TLSv1");
// Test for invalid ciphers
Set<String> ciphers_3 = Sets.newTreeSet();
diff --git a/site2/docs/reference-configuration.md b/site2/docs/reference-configuration.md
index eee2313..da226ae 100644
--- a/site2/docs/reference-configuration.md
+++ b/site2/docs/reference-configuration.md
@@ -203,7 +203,7 @@ brokerServiceCompactionThresholdInBytes|If the estimated backlog size is greater
|tlsKeyFilePath| Path for the TLS private key file ||
|tlsTrustCertsFilePath| Path for the trusted TLS certificate file. This cert is used to verify that any certs presented by connecting clients are signed by a certificate authority. If this verification fails, then the certs are untrusted and the connections are dropped. ||
|tlsAllowInsecureConnection| Accept untrusted TLS certificate from client. If it is set to `true`, a client with a cert which cannot be verified with the 'tlsTrustCertsFilePath' cert will be allowed to connect to the server, though the cert will not be used for client authentication. |false|
-|tlsProtocols|Specify the tls protocols the broker will use to negotiate during TLS Handshake. Multiple values can be specified, separated by commas. Example:- ```TLSv1.2```, ```TLSv1.1```, ```TLSv1``` ||
+|tlsProtocols|Specify the tls protocols the broker will use to negotiate during TLS Handshake. Multiple values can be specified, separated by commas. Example:- ```TLSv1.3```, ```TLSv1.2``` ||
|tlsCiphers|Specify the tls cipher the broker will use to negotiate during TLS Handshake. Multiple values can be specified, separated by commas. Example:- ```TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256```||
|tlsEnabledWithKeyStore| Enable TLS with KeyStore type configuration in broker |false|
|tlsProvider| TLS Provider for KeyStore type ||
@@ -216,7 +216,7 @@ brokerServiceCompactionThresholdInBytes|If the estimated backlog size is greater
|brokerClientTlsTrustStore| TLS TrustStore path for internal client, used by the internal client to authenticate with Pulsar brokers ||
|brokerClientTlsTrustStorePassword| TLS TrustStore password for internal client, used by the internal client to authenticate with Pulsar brokers ||
|brokerClientTlsCiphers| Specify the tls cipher the internal client will use to negotiate during TLS Handshake. (a comma-separated list of ciphers) e.g. [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]||
-|brokerClientTlsProtocols|Specify the tls protocols the broker will use to negotiate during TLS handshake. (a comma-separated list of protocol names). e.g. [TLSv1.2, TLSv1.1, TLSv1] ||
+|brokerClientTlsProtocols|Specify the tls protocols the broker will use to negotiate during TLS handshake. (a comma-separated list of protocol names). e.g. `TLSv1.3`, `TLSv1.2` ||
|ttlDurationDefaultInSeconds|The default Time to Live (TTL) for namespaces if the TTL is not configured at namespace policies. When the value is set to `0`, TTL is disabled. By default, TTL is disabled. |0|
|tokenSecretKey| Configure the secret key to be used to validate auth tokens. The key can be specified like: `tokenSecretKey=data:;base64,xxxxxxxxx` or `tokenSecretKey=file:///my/secret.key`. Note: key file must be DER-encoded.||
|tokenPublicKey| Configure the public key to be used to validate auth tokens. The key can be specified like: `tokenPublicKey=data:;base64,xxxxxxxxx` or `tokenPublicKey=file:///my/secret.key`. Note: key file must be DER-encoded.||
@@ -741,7 +741,7 @@ The [Pulsar proxy](concepts-architecture-overview.md#pulsar-proxy) can be config
|tlsTrustCertsFilePath| Path for the trusted TLS certificate pem file ||
|tlsHostnameVerificationEnabled| Whether the hostname is validated when the proxy creates a TLS connection with brokers |false|
|tlsRequireTrustedClientCertOnConnect| Whether client certificates are required for TLS. Connections are rejected if the client certificate isn’t trusted. |false|
-|tlsProtocols|Specify the tls protocols the broker will use to negotiate during TLS Handshake. Multiple values can be specified, separated by commas. Example:- ```TLSv1.2```, ```TLSv1.1```, ```TLSv1``` ||
+|tlsProtocols|Specify the tls protocols the broker will use to negotiate during TLS Handshake. Multiple values can be specified, separated by commas. Example:- ```TLSv1.3```, ```TLSv1.2``` ||
|tlsCiphers|Specify the tls cipher the broker will use to negotiate during TLS Handshake. Multiple values can be specified, separated by commas. Example:- ```TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256```||
| httpReverseProxyConfigs | HTTP directs to redirect to non-pulsar services | |
| httpOutputBufferSize | HTTP output buffer size. The amount of data that will be buffered for HTTP requests before it is flushed to the channel. A larger buffer size may result in higher HTTP throughput though it may take longer for the client to see data. If using HTTP streaming via the reverse proxy, this should be set to the minimum value (1) so that clients see the data as soon as possible. | 32768 |
diff --git a/site2/docs/security-tls-keystore.md b/site2/docs/security-tls-keystore.md
index f4ddbe0..4f432aa 100644
--- a/site2/docs/security-tls-keystore.md
+++ b/site2/docs/security-tls-keystore.md
@@ -139,7 +139,7 @@ Optional settings that may worth consider:
algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default,
it is null. [OpenSSL Ciphers](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html)
[JDK Ciphers](http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites)
-3. tlsProtocols=[TLSv1.2,TLSv1.1,TLSv1] (list out the TLS protocols that you are going to accept from clients).
+3. tlsProtocols=[TLSv1.3,TLSv1.2] (list out the TLS protocols that you are going to accept from clients).
By default, it is not set.
### Configuring Clients
diff --git a/site2/docs/security-tls-transport.md b/site2/docs/security-tls-transport.md
index 35be180..0aa4617 100644
--- a/site2/docs/security-tls-transport.md
+++ b/site2/docs/security-tls-transport.md
@@ -137,15 +137,15 @@ You can configure the broker (and proxy) to require specific TLS protocol versio
Both the TLS protocol versions and cipher properties can take multiple values, separated by commas. The possible values for protocol version and ciphers depend on the TLS provider that you are using. Pulsar uses OpenSSL if the OpenSSL is available, but if the OpenSSL is not available, Pulsar defaults back to the JDK implementation.
```properties
-tlsProtocols=TLSv1.2,TLSv1.1
+tlsProtocols=TLSv1.3,TLSv1.2
tlsCiphers=TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_CBC_SHA
```
-OpenSSL currently supports ```SSL2```, ```SSL3```, ```TLSv1```, ```TLSv1.1``` and ```TLSv1.2``` for the protocol version. You can acquire a list of supported cipher from the openssl ciphers command, i.e. ```openssl ciphers -tls_v2```.
+OpenSSL currently supports ```TLSv1.1```, ```TLSv1.2``` and ```TLSv1.3``` for the protocol version. You can acquire a list of supported cipher from the openssl ciphers command, i.e. ```openssl ciphers -tls1_3```.
-For JDK 8, you can obtain a list of supported values from the documentation:
-- [TLS protocol](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext)
-- [Ciphers](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites)
+For JDK 11, you can obtain a list of supported values from the documentation:
+- [TLS protocol](https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2__SUNJSSEPROVIDERPROTOCOLPARAMETERS-BBF75009)
+- [Ciphers](https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2__SUNJSSE_CIPHER_SUITES)
## Proxy Configuration