You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by da...@apache.org on 2019/06/18 11:50:00 UTC
[lucene-solr] branch master updated: SOLR-12988: Avoid using
TLSv1.3 for HttpClient
This is an automated email from the ASF dual-hosted git repository.
datcm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/master by this push:
new c838289 SOLR-12988: Avoid using TLSv1.3 for HttpClient
c838289 is described below
commit c8382890aef864fa56990158c9a6aab377dbdd9b
Author: Cao Manh Dat <da...@apache.org>
AuthorDate: Tue Jun 18 12:49:51 2019 +0100
SOLR-12988: Avoid using TLSv1.3 for HttpClient
---
solr/CHANGES.txt | 2 ++
.../solr/cloud/TestMiniSolrCloudClusterSSL.java | 2 --
.../apache/solr/cloud/TestSSLRandomization.java | 2 --
.../solr/client/solrj/impl/HttpClientUtil.java | 34 ++++++++++++++++++++--
.../solr/client/solrj/impl/HttpClientUtilTest.java | 11 +++++++
.../java/org/apache/solr/util/SSLTestConfig.java | 15 ++++------
6 files changed, 50 insertions(+), 16 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index b3440db..480bc45 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -167,6 +167,8 @@ Bug Fixes
CloudSolrClient to be triggered on liveNode changes. Also add Predicate<DocCollection> equivilents
for callers that don't care about liveNodes. (hossman)
+* SOLR-12988: Avoid using TLSv1.3 for HttpClient (Cao Manh Dat)
+
Other Changes
----------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java
index 29bdfae..b659a1f 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java
@@ -85,8 +85,6 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 {
@Before
public void before() {
- assumeFalse("@AwaitsFix: SOLR-12988 - ssl issues on Java 11/12", Constants.JRE_IS_MINIMUM_JAVA11);
-
// undo the randomization of our super class
log.info("NOTE: This Test ignores the randomized SSL & clientAuth settings selected by base class");
HttpClientUtil.resetHttpClientBuilder(); // also resets SchemaRegistryProvider
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java b/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java
index 1241189..e846f73 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestSSLRandomization.java
@@ -19,7 +19,6 @@ package org.apache.solr.cloud;
import java.lang.invoke.MethodHandles;
import java.util.Arrays;
-import org.apache.lucene.util.Constants;
import org.apache.solr.SolrTestCaseJ4;
import org.apache.solr.util.SSLTestConfig;
import org.apache.solr.util.RandomizeSSL;
@@ -44,7 +43,6 @@ public class TestSSLRandomization extends SolrCloudTestCase {
@BeforeClass
public static void createMiniSolrCloudCluster() throws Exception {
- assumeFalse("@AwaitsFix: SOLR-12988 - ssl issues on Java 11/12", Constants.JRE_IS_MINIMUM_JAVA11);
configureCluster(TestMiniSolrCloudClusterSSL.NUM_SERVERS).configure();
}
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java
index 21177af..0c501bd 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpClientUtil.java
@@ -20,6 +20,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.lang.invoke.MethodHandles;
import java.lang.reflect.InvocationTargetException;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.CopyOnWriteArrayList;
@@ -59,6 +61,7 @@ import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.protocol.HttpContext;
import org.apache.http.protocol.HttpRequestExecutor;
import org.apache.http.ssl.SSLContexts;
+import org.apache.http.util.TextUtils;
import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.SolrParams;
import org.apache.solr.common.util.ObjectReleaseTracker;
@@ -75,7 +78,8 @@ import org.slf4j.LoggerFactory;
public class HttpClientUtil {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
-
+
+ public static final String[] SUPPORTED_SSL_PROTOCOLS = {"TLSv1.2", "TLSv1.1", "TLSv1", "DTLSv1.2", "DTLSv1.0"};
public static final int DEFAULT_CONNECT_TIMEOUT = 60000;
public static final int DEFAULT_SO_TIMEOUT = 600000;
public static final int DEFAULT_MAXCONNECTIONSPERHOST = 100000;
@@ -233,7 +237,9 @@ public class HttpClientUtil {
boolean sslCheckPeerName = toBooleanDefaultIfNull(
toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true);
if (sslCheckPeerName) {
- sslConnectionSocketFactory = SSLConnectionSocketFactory.getSystemSocketFactory();
+ String[] cipherSuites = split(System.getProperty("https.cipherSuites"));
+ sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(),
+ getSupportedSSLProtocols(), cipherSuites, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
} else {
sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(),
NoopHostnameVerifier.INSTANCE);
@@ -244,6 +250,30 @@ public class HttpClientUtil {
return builder.build();
}
}
+
+ static String[] getSupportedSSLProtocols() {
+ String[] protocols = split(System.getProperty("https.protocols"));
+ if (protocols == null) {
+ return SUPPORTED_SSL_PROTOCOLS;
+ }
+ List<String> list = new ArrayList<>(Arrays.asList(protocols));
+ list.remove("TLSv1.3");
+ if (protocols.length == list.size())
+ return protocols;
+
+ if (list.isEmpty()) {
+ throw new IllegalArgumentException("TLSv1.3 is not supported yet!");
+ }
+
+ return list.toArray(new String[0]);
+ }
+
+ private static String[] split(final String s) {
+ if (TextUtils.isBlank(s)) {
+ return null;
+ }
+ return s.split(" *, *");
+ }
/**
* Creates new http client by using the provided configuration.
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
index 381e202..b5c5e3b 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
@@ -67,6 +67,17 @@ public class HttpClientUtilTest extends SolrTestCase {
assertSSLHostnameVerifier(NoopHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider());
}
+ public void testSSLConfig() {
+ assertArrayEquals(HttpClientUtil.SUPPORTED_SSL_PROTOCOLS, HttpClientUtil.getSupportedSSLProtocols());
+ System.setProperty("https.protocols", "TLSv1.1,TLSv1.2");
+ assertArrayEquals(new String[]{"TLSv1.1","TLSv1.2"}, HttpClientUtil.getSupportedSSLProtocols());
+ System.setProperty("https.protocols", "TLSv1.1,TLSv1.2,TLSv1.3");
+ assertArrayEquals(new String[]{"TLSv1.1","TLSv1.2"}, HttpClientUtil.getSupportedSSLProtocols());
+ System.setProperty("https.protocols", "TLSv1.3");
+ expectThrows(IllegalArgumentException.class, HttpClientUtil::getSupportedSSLProtocols);
+ System.clearProperty("https.protocols");
+ }
+
private void assertSSLHostnameVerifier(Class<? extends HostnameVerifier> expected,
SchemaRegistryProvider provider) {
ConnectionSocketFactory socketFactory = provider.getSchemaRegistry().lookup("https");
diff --git a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
index 48438d6..1f7b3d0 100644
--- a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
+++ b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
@@ -16,6 +16,7 @@
*/
package org.apache.solr.util;
+import javax.net.ssl.SSLContext;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
@@ -25,8 +26,6 @@ import java.security.SecureRandomSpi;
import java.security.UnrecoverableKeyException;
import java.util.Random;
-import javax.net.ssl.SSLContext;
-
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.ConnectionSocketFactory;
@@ -39,7 +38,6 @@ import org.apache.http.ssl.SSLContexts;
import org.apache.solr.client.solrj.embedded.SSLConfig;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider;
-import org.apache.solr.client.solrj.util.Constants;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.security.CertificateUtils;
import org.eclipse.jetty.util.ssl.SslContextFactory;
@@ -101,12 +99,7 @@ public class SSLTestConfig {
* @see HttpClientUtil#SYS_PROP_CHECK_PEER_NAME
*/
public SSLTestConfig(boolean useSSL, boolean clientAuth, boolean checkPeerName) {
- // @AwaitsFix: SOLR-12988 - ssl issues on Java 11/12
- if (Constants.JRE_IS_MINIMUM_JAVA11) {
- this.useSsl = false;
- } else {
- this.useSsl = useSSL;
- }
+ this.useSsl = useSSL;
this.clientAuth = clientAuth;
this.checkPeerName = checkPeerName;
@@ -260,7 +253,9 @@ public class SSLTestConfig {
if (checkPeerName == false) {
sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
} else {
- sslConnectionFactory = new SSLConnectionSocketFactory(sslContext);
+ sslConnectionFactory = new SSLConnectionSocketFactory(sslContext,
+ HttpClientUtil.SUPPORTED_SSL_PROTOCOLS,
+ null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
}
} catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) {
throw new IllegalStateException("Unable to setup https scheme for HTTPClient to test SSL.", e);