diff --git a/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java index b696fa1db9..94a90d2837 100644 --- a/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java +++ b/nifi-commons/nifi-security-utils-api/src/main/java/org/apache/nifi/security/util/TlsConfiguration.java @@ -25,6 +25,13 @@ import java.util.regex.Pattern; * {@link javax.net.ssl.SSLContext}s. */ public interface TlsConfiguration { + String SSL_PROTOCOL = "SSL"; + String TLS_PROTOCOL = "TLS"; + + String TLS_1_0_PROTOCOL = "TLSv1"; + String TLS_1_1_PROTOCOL = "TLSv1.1"; + String[] LEGACY_TLS_PROTOCOL_VERSIONS = new String[]{TLS_1_0_PROTOCOL, TLS_1_1_PROTOCOL}; + String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.2"; String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION = "TLSv1.3"; String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS = new String[]{JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION}; @@ -157,6 +164,13 @@ public interface TlsConfiguration { */ String[] getTruststorePropertiesForLogging(); + /** + * Get Enabled TLS Protocol Versions + * + * @return Enabled TLS Protocols + */ + String[] getEnabledProtocols(); + /** * Returns the JVM Java major version based on the System properties (e.g. {@code JVM 1.8.0.231} -> {code 8}). * diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java index dfaab7bae6..3fc386dec6 100644 --- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java +++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/StandardTlsConfiguration.java @@ -18,6 +18,9 @@ package org.apache.nifi.security.util; import java.io.File; import java.net.MalformedURLException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; import java.util.Objects; import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.util.StringUtils; @@ -432,6 +435,29 @@ public class StandardTlsConfiguration implements TlsConfiguration { return new String[]{getTruststorePath(), getTruststorePasswordForLogging(), getKeystoreType() != null ? getTruststoreType().getType() : NULL_LOG}; } + + /** + * Get Enabled TLS Protocols translates SSL to legacy protocols and TLS to current protocols or returns configured protocol + * + * @return Enabled TLS Protocols + */ + @Override + public String[] getEnabledProtocols() { + final List enabledProtocols = new ArrayList<>(); + + final String configuredProtocol = getProtocol(); + if (TLS_PROTOCOL.equals(configuredProtocol)) { + enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())); + } else if (SSL_PROTOCOL.equals(configuredProtocol)) { + enabledProtocols.addAll(Arrays.asList(LEGACY_TLS_PROTOCOL_VERSIONS)); + enabledProtocols.addAll(Arrays.asList(TlsConfiguration.getCurrentSupportedTlsProtocolVersions())); + } else if (configuredProtocol != null) { + enabledProtocols.add(configuredProtocol); + } + + return enabledProtocols.toArray(new String[enabledProtocols.size()]); + } + @Override public String toString() { StringBuilder sb = new StringBuilder("[TlsConfiguration]"); diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy index ec117136a8..27628b0235 100644 --- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy +++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/StandardTlsConfigurationTest.groovy @@ -209,4 +209,43 @@ class StandardTlsConfigurationTest extends GroovyTestCase { assert !wrongPasswordIsValid assert !invalidIsValid } + + @Test + void testShouldReturnLegacyAndCurrentEnabledProtocolsForSsl() { + TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.SSL_PROTOCOL) + + String[] enabledProtocols = configuration.enabledProtocols + assert enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS) + assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()) + } + + @Test + void testShouldReturnCurrentEnabledProtocolsForTls() { + TlsConfiguration configuration = getTlsConfiguration(TlsConfiguration.TLS_PROTOCOL) + + String[] enabledProtocols = configuration.enabledProtocols + assert !enabledProtocols.toList().containsAll(TlsConfiguration.LEGACY_TLS_PROTOCOL_VERSIONS) + assert enabledProtocols.toList().containsAll(TlsConfiguration.getCurrentSupportedTlsProtocolVersions()) + } + + @Test + void testShouldReturnConfiguredEnabledProtocols() { + String currentProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion() + TlsConfiguration configuration = getTlsConfiguration(currentProtocol) + + String[] enabledProtocols = configuration.enabledProtocols + assert enabledProtocols == [currentProtocol] + } + + @Test + void testShouldReturnEmptyEnabledProtocolsForNullProtocol() { + TlsConfiguration configuration = getTlsConfiguration(null) + + String[] enabledProtocols = configuration.enabledProtocols + assert enabledProtocols.toList().isEmpty() + } + + TlsConfiguration getTlsConfiguration(String protocol) { + new StandardTlsConfiguration(KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_PASSWORD, KEYSTORE_TYPE, TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD, TRUSTSTORE_TYPE, protocol) + } } diff --git a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java index 4d4c27f98a..0b74616414 100644 --- a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java +++ b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java @@ -50,6 +50,7 @@ import org.apache.nifi.processor.exception.ProcessException; import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processors.email.smtp.SmtpConsumer; import org.apache.nifi.security.util.ClientAuth; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.ssl.RestrictedSSLContextService; import org.apache.nifi.ssl.SSLContextService; import org.springframework.util.StringUtils; @@ -252,6 +253,9 @@ public class ListenSMTP extends AbstractSessionFactoryProcessor { SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuth)); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) (socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true)); + final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration(); + sslSocket.setEnabledProtocols(tlsConfiguration.getEnabledProtocols()); + sslSocket.setUseClientMode(false); if (ClientAuth.REQUIRED.toString().equals(clientAuth)) { diff --git a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java index 7138bcf874..5da0d9a060 100644 --- a/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java +++ b/nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/test/java/org/apache/nifi/processors/email/TestListenSMTP.java @@ -16,6 +16,8 @@ */ package org.apache.nifi.processors.email; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; import static org.junit.Assert.assertTrue; import java.util.Properties; @@ -26,7 +28,9 @@ import javax.mail.Transport; import javax.mail.internet.InternetAddress; import javax.mail.internet.MimeMessage; import org.apache.nifi.remote.io.socket.NetworkUtils; +import org.apache.nifi.reporting.InitializationException; import org.apache.nifi.security.util.ClientAuth; +import org.apache.nifi.security.util.TlsConfiguration; import org.apache.nifi.ssl.SSLContextService; import org.apache.nifi.ssl.StandardRestrictedSSLContextService; import org.apache.nifi.ssl.StandardSSLContextService; @@ -35,38 +39,20 @@ import org.apache.nifi.util.TestRunners; import org.junit.Test; public class TestListenSMTP { + private static final String SSL_SERVICE_IDENTIFIER = "ssl-context"; @Test public void testListenSMTP() throws Exception { - final ListenSMTP processor = new ListenSMTP(); - final TestRunner runner = TestRunners.newTestRunner(processor); - final int port = NetworkUtils.availablePort(); - runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port)); - runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3"); + final TestRunner runner = newTestRunner(port); runner.run(1, false); + assertPortListening(port); - assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000)); - - final Properties config = new Properties(); - config.put("mail.smtp.host", "localhost"); - config.put("mail.smtp.port", String.valueOf(port)); - config.put("mail.smtp.connectiontimeout", "5000"); - config.put("mail.smtp.timeout", "5000"); - config.put("mail.smtp.writetimeout", "5000"); - - final Session session = Session.getInstance(config); - session.setDebug(true); - + final Session session = getSession(port); final int numMessages = 5; for (int i = 0; i < numMessages; i++) { - final Message email = new MimeMessage(session); - email.setFrom(new InternetAddress("alice@nifi.apache.org")); - email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org")); - email.setSubject("This is a test"); - email.setText("MSG-" + i); - Transport.send(email); + sendMessage(session, i); } runner.shutdown(); @@ -74,34 +60,92 @@ public class TestListenSMTP { } @Test - public void testListenSMTPwithTLS() throws Exception { - final ListenSMTP processor = new ListenSMTP(); - final TestRunner runner = TestRunners.newTestRunner(processor); - + public void testListenSMTPwithTLSCurrentVersion() throws Exception { final int port = NetworkUtils.availablePort(); - runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port)); - runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3"); + final TestRunner runner = newTestRunner(port); - // Setup the SSL Context - final SSLContextService sslContextService = new StandardRestrictedSSLContextService(); - runner.addControllerService("ssl-context", sslContextService); - runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks"); - runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword"); - runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS"); - runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks"); - runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword"); - runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS"); - runner.enableControllerService(sslContextService); - - // and add the SSL context to the runner - runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, "ssl-context"); + final String tlsProtocol = TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion(); + configureSslContextService(runner, tlsProtocol); + runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER); runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name()); runner.assertValid(); runner.run(1, false); + assertPortListening(port); + final Session session = getSessionTls(port, tlsProtocol); + final int numMessages = 5; + for (int i = 0; i < numMessages; i++) { + sendMessage(session, i); + } + + runner.shutdown(); + runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages); + } + + @Test + public void testListenSMTPwithTLSLegacyProtocolException() throws Exception { + final int port = NetworkUtils.availablePort(); + final TestRunner runner = newTestRunner(port); + + configureSslContextService(runner, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion()); + runner.setProperty(ListenSMTP.SSL_CONTEXT_SERVICE, SSL_SERVICE_IDENTIFIER); + runner.setProperty(ListenSMTP.CLIENT_AUTH, ClientAuth.NONE.name()); + runner.assertValid(); + + runner.run(1, false); + assertPortListening(port); + + final Session session = getSessionTls(port, TlsConfiguration.TLS_1_0_PROTOCOL); + final MessagingException exception = assertThrows(MessagingException.class, () -> sendMessage(session, 0)); + assertEquals(exception.getMessage(), "Could not convert socket to TLS"); + + runner.shutdown(); + runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0); + } + + @Test + public void testListenSMTPwithTooLargeMessage() throws Exception { + final int port = NetworkUtils.availablePort(); + final TestRunner runner = newTestRunner(port); + runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B"); + + runner.run(1, false); + assertPortListening(port); + + final Session session = getSession(port); + assertThrows(MessagingException.class, () -> sendMessage(session, 0)); + + runner.shutdown(); + runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0); + } + + private TestRunner newTestRunner(final int port) { + final ListenSMTP processor = new ListenSMTP(); + final TestRunner runner = TestRunners.newTestRunner(processor); + + runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port)); + runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3"); + return runner; + } + + private void assertPortListening(final int port) { assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000)); + } + private Session getSession(final int port) { + final Properties config = new Properties(); + config.put("mail.smtp.host", "localhost"); + config.put("mail.smtp.port", String.valueOf(port)); + config.put("mail.smtp.connectiontimeout", "5000"); + config.put("mail.smtp.timeout", "5000"); + config.put("mail.smtp.writetimeout", "5000"); + final Session session = Session.getInstance(config); + session.setDebug(true); + return session; + } + + private Session getSessionTls(final int port, final String tlsProtocol) { final Properties config = new Properties(); config.put("mail.smtp.host", "localhost"); config.put("mail.smtp.port", String.valueOf(port)); @@ -112,64 +156,32 @@ public class TestListenSMTP { config.put("mail.smtp.connectiontimeout", "5000"); config.put("mail.smtp.timeout", "5000"); config.put("mail.smtp.writetimeout", "5000"); + config.put("mail.smtp.ssl.protocols", tlsProtocol); final Session session = Session.getInstance(config); session.setDebug(true); - - final int numMessages = 5; - for (int i = 0; i < numMessages; i++) { - final Message email = new MimeMessage(session); - email.setFrom(new InternetAddress("alice@nifi.apache.org")); - email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org")); - email.setSubject("This is a test"); - email.setText("MSG-" + i); - Transport.send(email); - } - - runner.shutdown(); - runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, numMessages); + return session; } - @Test(expected = MessagingException.class) - public void testListenSMTPwithTooLargeMessage() throws Exception { - final ListenSMTP processor = new ListenSMTP(); - final TestRunner runner = TestRunners.newTestRunner(processor); - - final int port = NetworkUtils.availablePort(); - runner.setProperty(ListenSMTP.SMTP_PORT, String.valueOf(port)); - runner.setProperty(ListenSMTP.SMTP_MAXIMUM_CONNECTIONS, "3"); - runner.setProperty(ListenSMTP.SMTP_MAXIMUM_MSG_SIZE, "10 B"); - - runner.run(1, false); - - assertTrue(String.format("expected server listening on %s:%d", "localhost", port), NetworkUtils.isListening("localhost", port, 5000)); - - final Properties config = new Properties(); - config.put("mail.smtp.host", "localhost"); - config.put("mail.smtp.port", String.valueOf(port)); - config.put("mail.smtp.connectiontimeout", "5000"); - config.put("mail.smtp.timeout", "5000"); - config.put("mail.smtp.writetimeout", "5000"); - - final Session session = Session.getInstance(config); - session.setDebug(true); - - MessagingException messagingException = null; - try { - final Message email = new MimeMessage(session); - email.setFrom(new InternetAddress("alice@nifi.apache.org")); - email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org")); - email.setSubject("This is a test"); - email.setText("MSG-0"); - Transport.send(email); - } catch (final MessagingException e) { - messagingException = e; - } - - runner.shutdown(); - runner.assertAllFlowFilesTransferred(ListenSMTP.REL_SUCCESS, 0); - - if (messagingException != null) throw messagingException; + private void sendMessage(final Session session, final int i) throws MessagingException { + final Message email = new MimeMessage(session); + email.setFrom(new InternetAddress("alice@nifi.apache.org")); + email.setRecipients(Message.RecipientType.TO, InternetAddress.parse("bob@nifi.apache.org")); + email.setSubject("This is a test"); + email.setText("MSG-" + i); + Transport.send(email); } + private void configureSslContextService(final TestRunner runner, final String tlsProtocol) throws InitializationException { + final SSLContextService sslContextService = new StandardRestrictedSSLContextService(); + runner.addControllerService(SSL_SERVICE_IDENTIFIER, sslContextService); + runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE, "src/test/resources/truststore.jks"); + runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_PASSWORD, "passwordpassword"); + runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, "JKS"); + runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE, "src/test/resources/keystore.jks"); + runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_PASSWORD, "passwordpassword"); + runner.setProperty(sslContextService, StandardSSLContextService.KEYSTORE_TYPE, "JKS"); + runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, tlsProtocol); + runner.enableControllerService(sslContextService); + } } diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java index 14d259f466..014979feab 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java @@ -87,7 +87,7 @@ public class StandardRestrictedSSLContextService extends StandardSSLContextServi static AllowableValue[] buildAlgorithmAllowableValues() { final Set supportedProtocols = new HashSet<>(); - supportedProtocols.add("TLS"); + supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL); /* * Add specifically supported TLS versions diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java index 800625fa70..7c88429b10 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java +++ b/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java @@ -109,10 +109,10 @@ public interface SSLContextService extends ControllerService { * Prepopulate protocols with generic instance types commonly used * see: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext */ - supportedProtocols.add("TLS"); + supportedProtocols.add(TlsConfiguration.TLS_PROTOCOL); // This is still available for outgoing connections to legacy services, but can be disabled with jdk.tls.disabledAlgorithms - supportedProtocols.add("SSL"); + supportedProtocols.add(TlsConfiguration.SSL_PROTOCOL); // Determine those provided by the JVM on the system try {