diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index 257d42b07a4..aba3b52dfc9 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -2974,6 +2974,7 @@ The supported SSL protocols. The parameter will only be used from DatanodeHttpServer. + Starting from Hadoop 3.3.0, TLSv1.3 is supported with Java 11 Runtime. diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java index 5cf32f388d9..cc76b4ad6d9 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java @@ -41,6 +41,7 @@ import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.ssl.KeyStoreTestUtil; import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.test.GenericTestUtils; +import org.apache.hadoop.util.Shell; import org.apache.hadoop.util.StringUtils; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -86,9 +87,11 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { + "SSL_RSA_EXPORT_WITH_RC4_40_MD5,\t \n" + "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA," + "SSL_RSA_WITH_RC4_128_MD5 \t"; - private static final String ONE_ENABLED_CIPHERS = EXCLUDED_CIPHERS + private static final String ONE_ENABLED_CIPHERS_TLS1_2 = EXCLUDED_CIPHERS + ",TLS_RSA_WITH_AES_128_CBC_SHA"; - private static final String EXCLUSIVE_ENABLED_CIPHERS + private static final String ONE_ENABLED_CIPHERS_TLS1_3 = EXCLUDED_CIPHERS + + ",TLS_AES_128_GCM_SHA256"; + private static final String EXCLUSIVE_ENABLED_CIPHERS_TLS1_2 = "\tTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \n" + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + "TLS_RSA_WITH_AES_128_CBC_SHA," @@ -96,8 +99,12 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\t\n " + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"; + private static final String EXCLUSIVE_ENABLED_CIPHERS_TLS1_3 = + EXCLUSIVE_ENABLED_CIPHERS_TLS1_2 + ",TLS_AES_128_GCM_SHA256"; - static final String INCLUDED_PROTOCOLS = "SSLv2Hello,TLSv1.1"; + + static final String INCLUDED_PROTOCOLS = "TLSv1.2"; + static final String INCLUDED_PROTOCOLS_JDK11 = "TLSv1.3,TLSv1.2"; @BeforeClass public static void setup() throws Exception { @@ -291,22 +298,41 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { @Test public void testIncludedProtocols() throws Exception { URL url = new URL(baseUrl, SERVLET_PATH_ECHO + "?a=b&c=d"); + + String includedProtocols = INCLUDED_PROTOCOLS; + if (Shell.isJavaVersionAtLeast(11)) { + includedProtocols = INCLUDED_PROTOCOLS_JDK11; + } HttpsURLConnection conn = getConnectionWithPreferredProtocolSSLSocketFactory(url, - INCLUDED_PROTOCOLS); + includedProtocols); assertFalse("included protocol list is empty", - INCLUDED_PROTOCOLS.isEmpty()); + includedProtocols.isEmpty()); readFromConnection(conn); + + PreferredProtocolSSLSocketFactory factory = + (PreferredProtocolSSLSocketFactory)conn.getSSLSocketFactory(); + + if (Shell.isJavaVersionAtLeast(11)) { + assertEquals("TLSv1.3", factory.getSocket().getSession().getProtocol()); + } else { + assertEquals("TLSv1.2", factory.getSocket().getSession().getProtocol()); + } } /** Test that verified that additionally included cipher - * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is only available cipher for working + * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (TLS 1.2) or + * TLS_AES_128_GCM_SHA256 (TLS 1.3) is only available cipher for working * TLS connection from client to server disabled for all other common ciphers. */ @Test public void testOneEnabledCiphers() throws Exception { - testEnabledCiphers(ONE_ENABLED_CIPHERS); + if (Shell.isJavaVersionAtLeast(11)) { + testEnabledCiphers(ONE_ENABLED_CIPHERS_TLS1_3); + } else { + testEnabledCiphers(ONE_ENABLED_CIPHERS_TLS1_2); + } } /** Test verifies that mutually exclusive server's disabled cipher suites and @@ -314,7 +340,11 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { */ @Test public void testExclusiveEnabledCiphers() throws Exception { - testEnabledCiphers(EXCLUSIVE_ENABLED_CIPHERS); + if (Shell.isJavaVersionAtLeast(11)) { + testEnabledCiphers(EXCLUSIVE_ENABLED_CIPHERS_TLS1_3); + } else { + testEnabledCiphers(EXCLUSIVE_ENABLED_CIPHERS_TLS1_2); + } } private void testEnabledCiphers(String ciphers) throws @@ -405,6 +435,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { private class PreferredProtocolSSLSocketFactory extends SSLSocketFactory { private final SSLSocketFactory delegateSocketFactory; private final String[] enabledProtocols; + private SSLSocket sslSocket; PreferredProtocolSSLSocketFactory(SSLSocketFactory sslSocketFactory, String[] enabledProtocols) { @@ -416,6 +447,10 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { } } + public SSLSocket getSocket() { + return sslSocket; + } + @Override public String[] getDefaultCipherSuites() { return delegateSocketFactory.getDefaultCipherSuites(); @@ -429,7 +464,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { @Override public Socket createSocket(Socket socket, String string, int i, boolean bln) throws IOException { - SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket( + sslSocket = (SSLSocket) delegateSocketFactory.createSocket( socket, string, i, bln); setEnabledProtocols(sslSocket); return sslSocket; @@ -437,7 +472,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { @Override public Socket createSocket(String string, int i) throws IOException { - SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket( + sslSocket = (SSLSocket) delegateSocketFactory.createSocket( string, i); setEnabledProtocols(sslSocket); return sslSocket; @@ -446,7 +481,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { @Override public Socket createSocket(String string, int i, InetAddress ia, int i1) throws IOException { - SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket( + sslSocket = (SSLSocket) delegateSocketFactory.createSocket( string, i, ia, i1); setEnabledProtocols(sslSocket); return sslSocket; @@ -454,7 +489,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { @Override public Socket createSocket(InetAddress ia, int i) throws IOException { - SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia, + sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia, i); setEnabledProtocols(sslSocket); return sslSocket; @@ -463,7 +498,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest { @Override public Socket createSocket(InetAddress ia, int i, InetAddress ia1, int i1) throws IOException { - SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia, + sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia, i, ia1, i1); setEnabledProtocols(sslSocket); return sslSocket;