This is an automated email from the ASF dual-hosted git repository.
stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix-omid.git
The following commit(s) were added to refs/heads/master by this push:
new 20d14167 OMID-305 Support TLS 1.3 (#185)
20d14167 is described below
commit 20d14167a99d4e763582bc999c2012356373b4ff
Author: Istvan Toth <[email protected]>
AuthorDate: Tue Mar 25 06:28:58 2025 +0100
OMID-305 Support TLS 1.3 (#185)
Remove JVM version dependent default cipher logic
---
.../main/java/org/apache/omid/tls/X509Util.java | 61 +++-------------------
.../java/org/apache/omid/tls/TestX509Util.java | 49 -----------------
2 files changed, 6 insertions(+), 104 deletions(-)
diff --git a/common/src/main/java/org/apache/omid/tls/X509Util.java
b/common/src/main/java/org/apache/omid/tls/X509Util.java
index dffc2091..a6d2108c 100644
--- a/common/src/main/java/org/apache/omid/tls/X509Util.java
+++ b/common/src/main/java/org/apache/omid/tls/X509Util.java
@@ -20,11 +20,9 @@ package org.apache.omid.tls;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
-import org.apache.omid.tls.X509Exception;
import org.apache.omid.tls.X509Exception.KeyManagerException;
import org.apache.omid.tls.X509Exception.SSLContextException;
import org.apache.omid.tls.X509Exception.TrustManagerException;
-import org.apache.phoenix.thirdparty.com.google.common.collect.ObjectArrays;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -39,7 +37,6 @@ import java.security.Security;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.Arrays;
-import java.util.Objects;
/**
@@ -62,53 +59,10 @@ public final class X509Util {
public static final String DEFAULT_PROTOCOL = "TLSv1.2";
- private static String[] getGCMCiphers() {
- return new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" };
- }
-
- private static String[] getCBCCiphers() {
- return new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" };
- }
-
- // On Java 8, prefer CBC ciphers since AES-NI support is lacking and GCM
is slower than CBC.
- private static final String[] DEFAULT_CIPHERS_JAVA8 =
- ObjectArrays.concat(getCBCCiphers(), getGCMCiphers(),
String.class);
- // On Java 9 and later, prefer GCM ciphers due to improved AES-NI support.
- // Note that this performance assumption might not hold true for
architectures other than x86_64.
- private static final String[] DEFAULT_CIPHERS_JAVA9 =
- ObjectArrays.concat(getGCMCiphers(), getCBCCiphers(),
String.class);
-
private X509Util() {
// disabled
}
- static String[] getDefaultCipherSuites() {
- return
getDefaultCipherSuitesForJavaVersion(System.getProperty("java.specification.version"));
- }
-
- static String[] getDefaultCipherSuitesForJavaVersion(String javaVersion) {
- Objects.requireNonNull(javaVersion);
- if (javaVersion.matches("\\d+")) {
- // Must be Java 9 or later
- LOG.debug("Using Java9+ optimized cipher suites for Java version
{}", javaVersion);
- return DEFAULT_CIPHERS_JAVA9;
- } else if (javaVersion.startsWith("1.")) {
- // Must be Java 1.8 or earlier
- LOG.debug("Using Java8 optimized cipher suites for Java version
{}", javaVersion);
- return DEFAULT_CIPHERS_JAVA8;
- } else {
- LOG.debug("Could not parse java version {}, using Java8 optimized
cipher suites",
- javaVersion);
- return DEFAULT_CIPHERS_JAVA8;
- }
- }
-
public static SslContext createSslContextForClient(String
keyStoreLocation, char[] keyStorePassword,
String keyStoreType,
String trustStoreLocation, char[] trustStorePassword, String trustStoreType,
boolean sslCrlEnabled,
boolean sslOcspEnabled, String enabledProtocols, String cipherSuites, String
tlsConfigProtocols)
@@ -132,7 +86,9 @@ public final class X509Util {
sslContextBuilder.enableOcsp(sslOcspEnabled);
sslContextBuilder.protocols(getEnabledProtocols(enabledProtocols,
tlsConfigProtocols));
-
sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(cipherSuites)));
+ if (cipherSuites != null && !cipherSuites.isEmpty()) {
+ sslContextBuilder.ciphers(Arrays.asList(cipherSuites.split(",")));
+ }
return sslContextBuilder.build();
}
@@ -161,7 +117,9 @@ public final class X509Util {
sslContextBuilder.enableOcsp(sslOcspEnabled);
sslContextBuilder.protocols(getEnabledProtocols(enabledProtocols,
tlsConfigProtocols));
-
sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(cipherSuites)));
+ if (cipherSuites != null && !cipherSuites.isEmpty()) {
+ sslContextBuilder.ciphers(Arrays.asList(cipherSuites.split(",")));
+ }
return sslContextBuilder.build();
}
@@ -276,11 +234,4 @@ public final class X509Util {
return enabledProtocolsInput.split(",");
}
- private static String[] getCipherSuites(String cipherSuitesInput) {
- if (cipherSuitesInput == null) {
- return getDefaultCipherSuites();
- } else {
- return cipherSuitesInput.split(",");
- }
- }
}
diff --git a/common/src/test/java/org/apache/omid/tls/TestX509Util.java
b/common/src/test/java/org/apache/omid/tls/TestX509Util.java
index 5bb56e1c..37ed93ce 100644
--- a/common/src/test/java/org/apache/omid/tls/TestX509Util.java
+++ b/common/src/test/java/org/apache/omid/tls/TestX509Util.java
@@ -21,8 +21,6 @@ package org.apache.omid.tls;
import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.SslContext;
-import org.apache.omid.tls.KeyStoreFileType;
-import org.apache.omid.tls.X509Exception;
import org.junit.After;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -328,51 +326,4 @@ public class TestX509Util extends
BaseX509ParameterizedTestCase {
});
}
- @Test
- public void testGetDefaultCipherSuitesJava8() throws Exception {
- init(caKeyType, certKeyType, keyPassword, paramIndex);
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("1.8");
- // Java 8 default should have the CBC suites first
- assertTrue(cipherSuites[0].contains("CBC"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesJava9() throws Exception {
- init(caKeyType, certKeyType, keyPassword, paramIndex);
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("9");
- // Java 9+ default should have the GCM suites first
- assertTrue(cipherSuites[0].contains("GCM"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesJava10() throws Exception {
- init(caKeyType, certKeyType, keyPassword, paramIndex);
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("10");
- // Java 9+ default should have the GCM suites first
- assertTrue(cipherSuites[0].contains("GCM"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesJava11() throws Exception {
- init(caKeyType, certKeyType, keyPassword, paramIndex);
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("11");
- // Java 9+ default should have the GCM suites first
- assertTrue(cipherSuites[0].contains("GCM"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesUnknownVersion() throws Exception {
- init(caKeyType, certKeyType, keyPassword, paramIndex);
- String[] cipherSuites =
X509Util.getDefaultCipherSuitesForJavaVersion("notaversion");
- // If version can't be parsed, use the more conservative Java 8 default
- assertTrue(cipherSuites[0].contains("CBC"));
- }
-
- @Test
- public void testGetDefaultCipherSuitesNullVersion() throws Exception {
- init(caKeyType, certKeyType, keyPassword, paramIndex);
- assertThrows(NullPointerException.class, () -> {
- X509Util.getDefaultCipherSuitesForJavaVersion(null);
- });
- }
}