HADOOP-16661. Support TLS 1.3 (#1880)
This commit is contained in:
parent
ea688631b0
commit
f197f05cff
|
@ -2974,6 +2974,7 @@
|
||||||
<description>
|
<description>
|
||||||
The supported SSL protocols. The parameter will only be used from
|
The supported SSL protocols. The parameter will only be used from
|
||||||
DatanodeHttpServer.
|
DatanodeHttpServer.
|
||||||
|
Starting from Hadoop 3.3.0, TLSv1.3 is supported with Java 11 Runtime.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
|
|
@ -41,6 +41,7 @@ import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
|
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
|
||||||
import org.apache.hadoop.security.ssl.SSLFactory;
|
import org.apache.hadoop.security.ssl.SSLFactory;
|
||||||
import org.apache.hadoop.test.GenericTestUtils;
|
import org.apache.hadoop.test.GenericTestUtils;
|
||||||
|
import org.apache.hadoop.util.Shell;
|
||||||
import org.apache.hadoop.util.StringUtils;
|
import org.apache.hadoop.util.StringUtils;
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
|
@ -86,9 +87,11 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
+ "SSL_RSA_EXPORT_WITH_RC4_40_MD5,\t \n"
|
+ "SSL_RSA_EXPORT_WITH_RC4_40_MD5,\t \n"
|
||||||
+ "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,"
|
+ "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,"
|
||||||
+ "SSL_RSA_WITH_RC4_128_MD5 \t";
|
+ "SSL_RSA_WITH_RC4_128_MD5 \t";
|
||||||
private static final String ONE_ENABLED_CIPHERS = EXCLUDED_CIPHERS
|
private static final String ONE_ENABLED_CIPHERS_TLS1_2 = EXCLUDED_CIPHERS
|
||||||
+ ",TLS_RSA_WITH_AES_128_CBC_SHA";
|
+ ",TLS_RSA_WITH_AES_128_CBC_SHA";
|
||||||
private static final String EXCLUSIVE_ENABLED_CIPHERS
|
private static final String ONE_ENABLED_CIPHERS_TLS1_3 = EXCLUDED_CIPHERS
|
||||||
|
+ ",TLS_AES_128_GCM_SHA256";
|
||||||
|
private static final String EXCLUSIVE_ENABLED_CIPHERS_TLS1_2
|
||||||
= "\tTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \n"
|
= "\tTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \n"
|
||||||
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
|
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
|
||||||
+ "TLS_RSA_WITH_AES_128_CBC_SHA,"
|
+ "TLS_RSA_WITH_AES_128_CBC_SHA,"
|
||||||
|
@ -96,8 +99,12 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,"
|
+ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,"
|
||||||
+ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\t\n "
|
+ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\t\n "
|
||||||
+ "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
|
+ "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
|
||||||
|
private static final String EXCLUSIVE_ENABLED_CIPHERS_TLS1_3 =
|
||||||
|
EXCLUSIVE_ENABLED_CIPHERS_TLS1_2 + ",TLS_AES_128_GCM_SHA256";
|
||||||
|
|
||||||
static final String INCLUDED_PROTOCOLS = "SSLv2Hello,TLSv1.1";
|
|
||||||
|
static final String INCLUDED_PROTOCOLS = "TLSv1.2";
|
||||||
|
static final String INCLUDED_PROTOCOLS_JDK11 = "TLSv1.3,TLSv1.2";
|
||||||
|
|
||||||
@BeforeClass
|
@BeforeClass
|
||||||
public static void setup() throws Exception {
|
public static void setup() throws Exception {
|
||||||
|
@ -291,22 +298,41 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
@Test
|
@Test
|
||||||
public void testIncludedProtocols() throws Exception {
|
public void testIncludedProtocols() throws Exception {
|
||||||
URL url = new URL(baseUrl, SERVLET_PATH_ECHO + "?a=b&c=d");
|
URL url = new URL(baseUrl, SERVLET_PATH_ECHO + "?a=b&c=d");
|
||||||
|
|
||||||
|
String includedProtocols = INCLUDED_PROTOCOLS;
|
||||||
|
if (Shell.isJavaVersionAtLeast(11)) {
|
||||||
|
includedProtocols = INCLUDED_PROTOCOLS_JDK11;
|
||||||
|
}
|
||||||
HttpsURLConnection conn =
|
HttpsURLConnection conn =
|
||||||
getConnectionWithPreferredProtocolSSLSocketFactory(url,
|
getConnectionWithPreferredProtocolSSLSocketFactory(url,
|
||||||
INCLUDED_PROTOCOLS);
|
includedProtocols);
|
||||||
assertFalse("included protocol list is empty",
|
assertFalse("included protocol list is empty",
|
||||||
INCLUDED_PROTOCOLS.isEmpty());
|
includedProtocols.isEmpty());
|
||||||
|
|
||||||
readFromConnection(conn);
|
readFromConnection(conn);
|
||||||
|
|
||||||
|
PreferredProtocolSSLSocketFactory factory =
|
||||||
|
(PreferredProtocolSSLSocketFactory)conn.getSSLSocketFactory();
|
||||||
|
|
||||||
|
if (Shell.isJavaVersionAtLeast(11)) {
|
||||||
|
assertEquals("TLSv1.3", factory.getSocket().getSession().getProtocol());
|
||||||
|
} else {
|
||||||
|
assertEquals("TLSv1.2", factory.getSocket().getSession().getProtocol());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Test that verified that additionally included cipher
|
/** Test that verified that additionally included cipher
|
||||||
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is only available cipher for working
|
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (TLS 1.2) or
|
||||||
|
* TLS_AES_128_GCM_SHA256 (TLS 1.3) is only available cipher for working
|
||||||
* TLS connection from client to server disabled for all other common ciphers.
|
* TLS connection from client to server disabled for all other common ciphers.
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
public void testOneEnabledCiphers() throws Exception {
|
public void testOneEnabledCiphers() throws Exception {
|
||||||
testEnabledCiphers(ONE_ENABLED_CIPHERS);
|
if (Shell.isJavaVersionAtLeast(11)) {
|
||||||
|
testEnabledCiphers(ONE_ENABLED_CIPHERS_TLS1_3);
|
||||||
|
} else {
|
||||||
|
testEnabledCiphers(ONE_ENABLED_CIPHERS_TLS1_2);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Test verifies that mutually exclusive server's disabled cipher suites and
|
/** Test verifies that mutually exclusive server's disabled cipher suites and
|
||||||
|
@ -314,7 +340,11 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
public void testExclusiveEnabledCiphers() throws Exception {
|
public void testExclusiveEnabledCiphers() throws Exception {
|
||||||
testEnabledCiphers(EXCLUSIVE_ENABLED_CIPHERS);
|
if (Shell.isJavaVersionAtLeast(11)) {
|
||||||
|
testEnabledCiphers(EXCLUSIVE_ENABLED_CIPHERS_TLS1_3);
|
||||||
|
} else {
|
||||||
|
testEnabledCiphers(EXCLUSIVE_ENABLED_CIPHERS_TLS1_2);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void testEnabledCiphers(String ciphers) throws
|
private void testEnabledCiphers(String ciphers) throws
|
||||||
|
@ -405,6 +435,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
private class PreferredProtocolSSLSocketFactory extends SSLSocketFactory {
|
private class PreferredProtocolSSLSocketFactory extends SSLSocketFactory {
|
||||||
private final SSLSocketFactory delegateSocketFactory;
|
private final SSLSocketFactory delegateSocketFactory;
|
||||||
private final String[] enabledProtocols;
|
private final String[] enabledProtocols;
|
||||||
|
private SSLSocket sslSocket;
|
||||||
|
|
||||||
PreferredProtocolSSLSocketFactory(SSLSocketFactory sslSocketFactory,
|
PreferredProtocolSSLSocketFactory(SSLSocketFactory sslSocketFactory,
|
||||||
String[] enabledProtocols) {
|
String[] enabledProtocols) {
|
||||||
|
@ -416,6 +447,10 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public SSLSocket getSocket() {
|
||||||
|
return sslSocket;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String[] getDefaultCipherSuites() {
|
public String[] getDefaultCipherSuites() {
|
||||||
return delegateSocketFactory.getDefaultCipherSuites();
|
return delegateSocketFactory.getDefaultCipherSuites();
|
||||||
|
@ -429,7 +464,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
@Override
|
@Override
|
||||||
public Socket createSocket(Socket socket, String string, int i, boolean bln)
|
public Socket createSocket(Socket socket, String string, int i, boolean bln)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(
|
sslSocket = (SSLSocket) delegateSocketFactory.createSocket(
|
||||||
socket, string, i, bln);
|
socket, string, i, bln);
|
||||||
setEnabledProtocols(sslSocket);
|
setEnabledProtocols(sslSocket);
|
||||||
return sslSocket;
|
return sslSocket;
|
||||||
|
@ -437,7 +472,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Socket createSocket(String string, int i) throws IOException {
|
public Socket createSocket(String string, int i) throws IOException {
|
||||||
SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(
|
sslSocket = (SSLSocket) delegateSocketFactory.createSocket(
|
||||||
string, i);
|
string, i);
|
||||||
setEnabledProtocols(sslSocket);
|
setEnabledProtocols(sslSocket);
|
||||||
return sslSocket;
|
return sslSocket;
|
||||||
|
@ -446,7 +481,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
@Override
|
@Override
|
||||||
public Socket createSocket(String string, int i, InetAddress ia, int i1)
|
public Socket createSocket(String string, int i, InetAddress ia, int i1)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(
|
sslSocket = (SSLSocket) delegateSocketFactory.createSocket(
|
||||||
string, i, ia, i1);
|
string, i, ia, i1);
|
||||||
setEnabledProtocols(sslSocket);
|
setEnabledProtocols(sslSocket);
|
||||||
return sslSocket;
|
return sslSocket;
|
||||||
|
@ -454,7 +489,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Socket createSocket(InetAddress ia, int i) throws IOException {
|
public Socket createSocket(InetAddress ia, int i) throws IOException {
|
||||||
SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia,
|
sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia,
|
||||||
i);
|
i);
|
||||||
setEnabledProtocols(sslSocket);
|
setEnabledProtocols(sslSocket);
|
||||||
return sslSocket;
|
return sslSocket;
|
||||||
|
@ -463,7 +498,7 @@ public class TestSSLHttpServer extends HttpServerFunctionalTest {
|
||||||
@Override
|
@Override
|
||||||
public Socket createSocket(InetAddress ia, int i, InetAddress ia1, int i1)
|
public Socket createSocket(InetAddress ia, int i, InetAddress ia1, int i1)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
SSLSocket sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia,
|
sslSocket = (SSLSocket) delegateSocketFactory.createSocket(ia,
|
||||||
i, ia1, i1);
|
i, ia1, i1);
|
||||||
setEnabledProtocols(sslSocket);
|
setEnabledProtocols(sslSocket);
|
||||||
return sslSocket;
|
return sslSocket;
|
||||||
|
|
Loading…
Reference in New Issue