You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/01/24 09:08:00 UTC
[jira] [Work logged] (KNOX-2864) Make TLS protocol and cipher suites configurable with CM service discovery
[ https://issues.apache.org/jira/browse/KNOX-2864?focusedWorklogId=841323&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-841323 ]
ASF GitHub Bot logged work on KNOX-2864:
----------------------------------------
Author: ASF GitHub Bot
Created on: 24/Jan/23 09:07
Start Date: 24/Jan/23 09:07
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #717:
URL: https://github.com/apache/knox/pull/717
## What changes were proposed in this pull request?
There are 2 changes in this PR:
- TLS cipher suites and protocols are now customizable in CM service discovery:
- end-users can define the TLS protocol(s) and cipher suite(s) to use while creating a secure connection to a CM instance
- if none is defined, Knox will pick up the relevant supported values from Java's own `java.security` thru the acquired SSL context.
- Added a new method to indicate the TLS protocols to be included when creating SSL context in the embedded Jetty server. Prior to this change, end-users could only tell what to exclude.
## How was this patch tested?
Unit testing and running service discovery in a secure cluster with updated SSL configs.
Issue Time Tracking
-------------------
Worklog Id: (was: 841323)
Remaining Estimate: 0h
Time Spent: 10m
> Make TLS protocol and cipher suites configurable with CM service discovery
> --------------------------------------------------------------------------
>
> Key: KNOX-2864
> URL: https://issues.apache.org/jira/browse/KNOX-2864
> Project: Apache Knox
> Issue Type: Improvement
> Components: cm-discovery, Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The goal of this Jira is to guarantee:
> * Knox picks up defaults in Java's {{java.security}} file in terms of disabled algorithms as well as TLS protocols and cipher suites
> * Also, we want these attributes to be configurable in the [DiscoveryApiClient|https://github.com/apache/knox/blob/master/gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/DiscoveryApiClient.java] class using the already existing gateway-level config.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)