Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SCB-2709]support TLS 1.3 #3446

Merged
merged 4 commits into from
Nov 1, 2022
Merged

[SCB-2709]support TLS 1.3 #3446

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6b8be81
[SCB-2709]support TLS 1.3
liubao68 Nov 1, 2022
f21f483
[SCB-2709]fix ut error
liubao68 Nov 1, 2022
970d95d
[SCB-2709]fix ut error
liubao68 Nov 1, 2022
09f6044
[SCB-2709]fix at error
liubao68 Nov 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions demo/demo-springmvc/springmvc-client/src/main/resources/microservice.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,9 @@ cse:
- rest://localhost:8080?sslEnabled=false&urlPrefix=%2Fapi

#########SSL options
# open jdk 8 now TLSv1.3 not available
# ssl.protocols: TLSv1.3
# ssl.ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
ssl.protocols: TLSv1.2
ssl.authPeer: true
ssl.checkCN.host: false
Expand Down
3 changes: 3 additions & 0 deletions demo/demo-springmvc/springmvc-server/src/main/resources/microservice.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ servicecomb:
availableZone: my-Zone
codec.printErrorMessage: true
#########SSL options
# open jdk 8 now TLSv1.3 not available
# ssl.protocols: TLSv1.3
# ssl.ciphers: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
ssl.protocols: TLSv1.2
ssl.authPeer: true
ssl.checkCN.host: true
Expand Down
12 changes: 9 additions & 3 deletions ...ations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/SSLManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;

import org.apache.commons.lang.StringUtils;

/**
* 根据传递的SSLOption构造SSL上下文。请参考JSSE获取相关API的层次参考。
*
Expand Down Expand Up @@ -214,10 +216,14 @@ private static String[] getEnabledCiphers(String[] supported,
return r;
}

public static String[] getEnabledCiphers(String enabledCiphers) {
public static String[] getEnabledCiphers(SSLOption sslOption) {
SSLOption option = new SSLOption();
option.setProtocols("TLSv1.2");
option.setCiphers(enabledCiphers);
if (StringUtils.isNotEmpty(sslOption.getProtocols())) {
option.setProtocols(sslOption.getProtocols());
} else {
option.setProtocols("TLSv1.2");
}
option.setCiphers(sslOption.getCiphers());
SSLCustom custom = SSLCustom.defaultSSLCustom();
SSLSocket socket = createSSLSocket(option, custom);
return socket.getEnabledCipherSuites();
Expand Down
15 changes: 9 additions & 6 deletions ...ns/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLManagerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,12 @@
import javax.net.ssl.SSLSocketFactory;

import org.junit.Test;
import org.junit.jupiter.api.Assertions;

import mockit.Expectations;
import mockit.Mock;
import mockit.MockUp;
import mockit.Mocked;
import org.junit.jupiter.api.Assertions;

public class SSLManagerTest {
private final String DIR = Thread.currentThread().getContextClassLoader().getResource("").getPath();
Expand Down Expand Up @@ -122,12 +122,12 @@ public char[] decode(char[] encrypted) {
serverSocket.bind(new InetSocketAddress("127.0.0.1", 8886));
String[] protos = serverSocket.getEnabledCipherSuites();
String[] protosExpected =
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(protos, protosExpected);
String[] ciphers = serverSocket.getEnabledCipherSuites();
String[] ciphersExpected =
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(ciphers, ciphersExpected);
Assertions.assertTrue(serverSocket.getNeedClientAuth());
Expand All @@ -136,12 +136,12 @@ public char[] decode(char[] encrypted) {
SSLSocket clientsocket = SSLManager.createSSLSocket(clientoption, custom);
String[] clientprotos = clientsocket.getEnabledCipherSuites();
String[] clientprotosExpected =
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(clientprotos, clientprotosExpected);
String[] clientciphers = clientsocket.getEnabledCipherSuites();
String[] clientciphersExpected =
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
.split(",");
Assertions.assertArrayEquals(clientciphers, clientciphersExpected);
Assertions.assertFalse(clientsocket.getNeedClientAuth());
Expand Down Expand Up @@ -460,7 +460,10 @@ public char[] decode(char[] encrypted) {

@Test
public void testGetSupportedCiphers() {
String[] ciphers = SSLManager.getEnabledCiphers("TLS_RSA_WITH_AES_128_GCM_SHA256");
SSLOption option = new SSLOption();
option.setCiphers("TLS_RSA_WITH_AES_128_GCM_SHA256");
option.setProtocols("TLSv1.2");
String[] ciphers = SSLManager.getEnabledCiphers(option);
Assertions.assertEquals(ciphers[0], "TLS_RSA_WITH_AES_128_GCM_SHA256");
}
}
4 changes: 2 additions & 2 deletions ...ons/foundation-ssl/src/test/java/org/apache/servicecomb/foundation/ssl/SSLOptionTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,12 +59,12 @@ public void testSSLOption() {

String protocols = option.getProtocols();
option.setProtocols(protocols);
Assertions.assertEquals("TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello", protocols);
Assertions.assertEquals("TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello", protocols);

String ciphers = option.getCiphers();
option.setCiphers(ciphers);
Assertions.assertEquals(
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SH"
"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SH"
+
"A,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
ciphers);
Expand Down
4 changes: 2 additions & 2 deletions foundations/foundation-ssl/src/test/resources/client.ssl.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@
#

#########SSL options
ssl.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
ssl.ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
ssl.protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
ssl.ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
ssl.authPeer=true
ssl.checkCN.host=false
ssl.checkCN.white=true
Expand Down
4 changes: 2 additions & 2 deletions foundations/foundation-ssl/src/test/resources/server.ssl.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@
#

#########SSL options
ssl.protocols=TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
ssl.ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
ssl.protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello
ssl.ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
ssl.authPeer=true
ssl.checkCN.host=true
ssl.checkCN.white=true
Expand Down
2 changes: 1 addition & 1 deletion ...undation-vertx/src/main/java/org/apache/servicecomb/foundation/vertx/VertxTLSBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ private static TCPSSLOptions buildTCPSSLOptions(SSLOption sslOption, SSLCustom s
tcpClientOptions
.setEnabledSecureTransportProtocols(new HashSet<>(Arrays.asList(sslOption.getProtocols().split(","))));

for (String cipher : SSLManager.getEnabledCiphers(sslOption.getCiphers())) {
for (String cipher : SSLManager.getEnabledCiphers(sslOption)) {
tcpClientOptions.addEnabledCipherSuite(cipher);
}

Expand Down