You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by li...@apache.org on 2022/11/01 09:38:52 UTC
[servicecomb-java-chassis] branch master updated: [SCB-2709]support TLS 1.3 (#3446)
This is an automated email from the ASF dual-hosted git repository.
liubao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-java-chassis.git
The following commit(s) were added to refs/heads/master by this push:
new fafe575d3 [SCB-2709]support TLS 1.3 (#3446)
fafe575d3 is described below
commit fafe575d3cde088bcdc162a49ae8f7db9270ab33
Author: liubao68 <bi...@qq.com>
AuthorDate: Tue Nov 1 17:38:47 2022 +0800
[SCB-2709]support TLS 1.3 (#3446)
---
.../springmvc-client/src/main/resources/microservice.yaml | 3 +++
.../springmvc-server/src/main/resources/microservice.yaml | 3 +++
.../org/apache/servicecomb/foundation/ssl/SSLManager.java | 12 +++++++++---
.../apache/servicecomb/foundation/ssl/SSLManagerTest.java | 15 +++++++++------
.../apache/servicecomb/foundation/ssl/SSLOptionTest.java | 4 ++--
.../src/test/resources/client.ssl.properties | 4 ++--
.../src/test/resources/server.ssl.properties | 4 ++--
.../servicecomb/foundation/vertx/VertxTLSBuilder.java | 2 +-
8 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml b/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
index 7c18a5aa3..d123e21f2 100644
--- a/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
+++ b/demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
@@ -145,6 +145,9 @@ cse:
- rest://localhost:8080?sslEnabled=false&urlPrefix=%2Fapi
#########SSL options
+# open jdk 8 now TLSv1.3 not available
+# ssl.protocols: TLSv1.3
+# ssl.ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
ssl.protocols: TLSv1.2
ssl.authPeer: true
ssl.checkCN.host: false
diff --git a/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml b/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
index bf81a5490..5c76a8abd 100644
--- a/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
+++ b/demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
@@ -87,6 +87,9 @@ servicecomb:
availableZone: my-Zone
codec.printErrorMessage: true
#########SSL options
+# open jdk 8 now TLSv1.3 not available
+# ssl.protocols: TLSv1.3
+# ssl.ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
ssl.protocols: TLSv1.2
ssl.authPeer: true
ssl.checkCN.host: true
diff --git a/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java b/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
index 82c28f724..aeb54ffab 100644
--- a/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
+++ b/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
@@ -34,6 +34,8 @@ import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
+import org.apache.commons.lang.StringUtils;
+
/**
* 根据传递的SSLOption构造SSL上下文。请参考JSSE获取相关API的层次参考。
*
@@ -214,10 +216,14 @@ public final class SSLManager {
return r;
}
- public static String[] getEnabledCiphers(String enabledCiphers) {
+ public static String[] getEnabledCiphers(SSLOption sslOption) {
SSLOption option = new SSLOption();
- option.setProtocols("TLSv1.2");
- option.setCiphers(enabledCiphers);
+ if (StringUtils.isNotEmpty(sslOption.getProtocols())) {
+ option.setProtocols(sslOption.getProtocols());
+ } else {
+ option.setProtocols("TLSv1.2");
+ }
+ option.setCiphers(sslOption.getCiphers());
SSLCustom custom = SSLCustom.defaultSSLCustom();
SSLSocket socket = createSSLSocket(option, custom);
return socket.getEnabledCipherSuites();
diff --git a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
index 87eee1aac..71758fa3c 100644
--- a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
+++ b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
@@ -34,12 +34,12 @@ import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.junit.Test;
+import org.junit.jupiter.api.Assertions;
import mockit.Expectations;
import mockit.Mock;
import mockit.MockUp;
import mockit.Mocked;
-import org.junit.jupiter.api.Assertions;
public class SSLManagerTest {
private final String DIR = Thread.currentThread().getContextClassLoader().getResource("").getPath();
@@ -122,12 +122,12 @@ public class SSLManagerTest {
serverSocket.bind(new InetSocketAddress("127.0.0.1", 8886));
String[] protos = serverSocket.getEnabledCipherSuites();
String[] protosExpected =
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+ "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(protos, protosExpected);
String[] ciphers = serverSocket.getEnabledCipherSuites();
String[] ciphersExpected =
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+ "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(ciphers, ciphersExpected);
Assertions.assertTrue(serverSocket.getNeedClientAuth());
@@ -136,12 +136,12 @@ public class SSLManagerTest {
SSLSocket clientsocket = SSLManager.createSSLSocket(clientoption, custom);
String[] clientprotos = clientsocket.getEnabledCipherSuites();
String[] clientprotosExpected =
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+ "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(clientprotos, clientprotosExpected);
String[] clientciphers = clientsocket.getEnabledCipherSuites();
String[] clientciphersExpected =
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+ "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(clientciphers, clientciphersExpected);
Assertions.assertFalse(clientsocket.getNeedClientAuth());
@@ -460,7 +460,10 @@ public class SSLManagerTest {
@Test
public void testGetSupportedCiphers() {
- String[] ciphers = SSLManager.getEnabledCiphers("TLS_RSA_WITH_AES_128_GCM_SHA256");
+ SSLOption option = new SSLOption();
+ option.setCiphers("TLS_RSA_WITH_AES_128_GCM_SHA256");
+ option.setProtocols("TLSv1.2");
+ String[] ciphers = SSLManager.getEnabledCiphers(option);
Assertions.assertEquals(ciphers[0], "TLS_RSA_WITH_AES_128_GCM_SHA256");
}
}
diff --git a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
index 31334409e..67ae38284 100644
--- a/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
+++ b/foundations/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
@@ -59,12 +59,12 @@ public class SSLOptionTest {
String protocols = option.getProtocols();
option.setProtocols(protocols);
- Assertions.assertEquals("TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello", protocols);
+ Assertions.assertEquals("TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello", protocols);
String ciphers = option.getCiphers();
option.setCiphers(ciphers);
Assertions.assertEquals(
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SH"
+ "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SH"
+
"A,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
ciphers);
diff --git a/foundations/foundation-ssl/src/test/resources/client.ssl.properties b/foundations/foundation-ssl/src/test/resources/client.ssl.properties
index 82209e75c..4d25cd495 100644
--- a/foundations/foundation-ssl/src/test/resources/client.ssl.properties
+++ b/foundations/foundation-ssl/src/test/resources/client.ssl.properties
@@ -16,8 +16,8 @@
#
#########SSL options
-ssl.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
-ssl.ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+ssl.protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
+ssl.ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
ssl.authPeer=true
ssl.checkCN.host=false
ssl.checkCN.white=true
diff --git a/foundations/foundation-ssl/src/test/resources/server.ssl.properties b/foundations/foundation-ssl/src/test/resources/server.ssl.properties
index 7adfb36bd..aec677c23 100644
--- a/foundations/foundation-ssl/src/test/resources/server.ssl.properties
+++ b/foundations/foundation-ssl/src/test/resources/server.ssl.properties
@@ -16,8 +16,8 @@
#
#########SSL options
-ssl.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
-ssl.ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
+ssl.protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
+ssl.ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
ssl.authPeer=true
ssl.checkCN.host=true
ssl.checkCN.white=true
diff --git a/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java b/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
index 8fa1e89c1..fae651c45 100644
--- a/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
+++ b/foundations/foundation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
@@ -154,7 +154,7 @@ public final class VertxTLSBuilder {
tcpClientOptions
.setEnabledSecureTransportProtocols(new HashSet<>(Arrays.asList(sslOption.getProtocols().split(","))));
- for (String cipher : SSLManager.getEnabledCiphers(sslOption.getCiphers())) {
+ for (String cipher : SSLManager.getEnabledCiphers(sslOption)) {
tcpClientOptions.addEnabledCipherSuite(cipher);
}