You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2021/01/28 21:08:28 UTC
[ranger] branch ranger-2.2 updated: RANGER-3153: Updated TLS
version to 1.2 for ranger
This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 52a0f3d RANGER-3153: Updated TLS version to 1.2 for ranger
52a0f3d is described below
commit 52a0f3ddaee7bd8f7b7d6d6dd355a60c082a8e0b
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Thu Jan 28 13:05:28 2021 -0800
RANGER-3153: Updated TLS version to 1.2 for ranger
---
.../main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java | 6 +++---
.../src/main/resources/conf.dist/ranger-admin-default-site.xml | 4 ++--
.../apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java | 2 +-
unixauthservice/conf.dist/ranger-ugsync-default.xml | 2 +-
.../org/apache/ranger/authentication/UnixAuthenticationService.java | 4 ++--
5 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 757461d..8edcbbb 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -77,7 +77,7 @@ public class EmbeddedServer {
private static final String KMS_SERVER_NAME = "rangerkms";
public static final String RANGER_KEYSTORE_FILE_TYPE_DEFAULT = KeyStore.getDefaultType();
public static final String RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT = KeyStore.getDefaultType();
- public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLS";
+ public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLSv1.2";
public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = KeyManagerFactory.getDefaultAlgorithm();
public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = TrustManagerFactory.getDefaultAlgorithm();
@@ -151,7 +151,7 @@ public class EmbeddedServer {
ssl.setSecure(true);
ssl.setScheme("https");
ssl.setAttribute("SSLEnabled", "true");
- ssl.setAttribute("sslProtocol", EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol", "TLS"));
+ ssl.setAttribute("sslProtocol", EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol", "TLSv1.2"));
ssl.setAttribute("keystoreType", EmbeddedServerUtil.getConfig("ranger.keystore.file.type", RANGER_KEYSTORE_FILE_TYPE_DEFAULT));
ssl.setAttribute("truststoreType", EmbeddedServerUtil.getConfig("ranger.truststore.file.type", RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT));
String clientAuth = EmbeddedServerUtil.getConfig("ranger.service.https.attrib.clientAuth", "false");
@@ -172,7 +172,7 @@ public class EmbeddedServer {
ssl.setAttribute("keystorePass", keystorePass);
ssl.setAttribute("keystoreFile", getKeystoreFile());
- String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2";
+ String defaultEnabledProtocols = "TLSv1.2";
String enabledProtocols = EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.enabled.protocols", defaultEnabledProtocols);
ssl.setAttribute("sslEnabledProtocols", enabledProtocols);
String ciphers = EmbeddedServerUtil.getConfig("ranger.tomcat.ciphers");
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index fd957ca..8842071 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -288,7 +288,7 @@
<property>
<name>ranger.service.https.attrib.ssl.protocol</name>
- <value>TLS</value>
+ <value>TLSv1.2</value>
</property>
<property>
@@ -592,7 +592,7 @@
</property>
<property>
<name>ranger.service.https.attrib.ssl.enabled.protocols</name>
- <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+ <value>TLSv1.2</value>
</property>
<!-- Encryption -->
<property>
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
index e97c477..b361835 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
@@ -104,7 +104,7 @@ public class CustomSSLSocketFactory extends SSLSocketFactory{
}
}
- sslContext = SSLContext.getInstance("TLS");
+ sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmList, tmList, new SecureRandom());
sockFactory = sslContext.getSocketFactory();
diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml b/unixauthservice/conf.dist/ranger-ugsync-default.xml
index 0f88aa3..9cedc99 100644
--- a/unixauthservice/conf.dist/ranger-ugsync-default.xml
+++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml
@@ -27,7 +27,7 @@
</property>
<property>
<name>ranger.usersync.https.ssl.enabled.protocols</name>
- <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+ <value>TLSv1.2</value>
</property>
<property>
<name>ranger.usersync.passwordvalidator.path</name>
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 92eb229..6e401b8 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -58,7 +58,7 @@ public class UnixAuthenticationService {
private static final String serviceName = "UnixAuthenticationService";
- private static final String SSL_ALGORITHM = "TLS";
+ private static final String SSL_ALGORITHM = "TLSv1.2";
private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "ranger.usersync.port";
private static final String SSL_KEYSTORE_PATH_PARAM = "ranger.usersync.keystore.file";
@@ -237,7 +237,7 @@ public class UnixAuthenticationService {
String SSLEnabledProp = prop.getProperty(SSL_ENABLED_PARAM);
SSLEnabled = (SSLEnabledProp != null && (SSLEnabledProp.equalsIgnoreCase("true")));
- String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2";
+ String defaultEnabledProtocols = "TLSv1.2";
String enabledProtocols = prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", defaultEnabledProtocols);
enabledProtocolsList=new ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
// LOG.info("Key:" + keyStorePath);