You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by an...@apache.org on 2019/01/25 13:37:50 UTC
[zookeeper] branch branch-3.5 updated: ZOOKEEPER-3229: [TLS] add
AES-256 ciphers to default cipher list
This is an automated email from the ASF dual-hosted git repository.
andor pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.5 by this push:
new 32f9411 ZOOKEEPER-3229: [TLS] add AES-256 ciphers to default cipher list
32f9411 is described below
commit 32f941104990d3668f8075d27ea96dbd089cead8
Author: Ilya Maykov <il...@fb.com>
AuthorDate: Fri Jan 25 14:37:30 2019 +0100
ZOOKEEPER-3229: [TLS] add AES-256 ciphers to default cipher list
- Add AES-256 cipher suites
- Add AES-128-...-SHA cipher suites (for compatibility with Netty OpenSSL transport)
- code cleanup: split up the suites into CBC and GCM ciphers and put them in different order when constructing java8 / java9 defaults.
Author: Ilya Maykov <il...@fb.com>
Reviewers: andor@apache.org
Closes #744 from ivmaykov/ZOOKEEPER-3229
(cherry picked from commit 3583bbf0f89861a20c23cb417a1fd93daf12a1e1)
Signed-off-by: Andor Molnar <an...@apache.org>
---
.../java/org/apache/zookeeper/common/X509Util.java | 40 +++++++++++++++++-----
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
index 3ca787f..2e45ef2 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -83,18 +83,40 @@ public abstract class X509Util implements Closeable, AutoCloseable {
}
static final String DEFAULT_PROTOCOL = "TLSv1.2";
- private static final String[] DEFAULT_CIPHERS_JAVA8 = {
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- };
- private static final String[] DEFAULT_CIPHERS_JAVA9 = {
+ private static String[] getGCMCiphers() {
+ return new String[] {
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ };
+ }
+
+ private static String[] getCBCCiphers() {
+ return new String[] {
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
- };
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+ };
+ }
+
+ private static String[] concatArrays(String[] left, String[] right) {
+ String[] result = new String[left.length + right.length];
+ System.arraycopy(left, 0, result, 0, left.length);
+ System.arraycopy(right, 0, result, left.length, right.length);
+ return result;
+ }
+
+ // On Java 8, prefer CBC ciphers since AES-NI support is lacking and GCM is slower than CBC.
+ private static final String[] DEFAULT_CIPHERS_JAVA8 = concatArrays(getCBCCiphers(), getGCMCiphers());
+ // On Java 9 and later, prefer GCM ciphers due to improved AES-NI support.
+ // Note that this performance assumption might not hold true for architectures other than x86_64.
+ private static final String[] DEFAULT_CIPHERS_JAVA9 = concatArrays(getGCMCiphers(), getCBCCiphers());
public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;