Skip to content

Commit

Permalink
Revert "[security] Allow to config web server's cipher and protocols (a…
Browse files Browse the repository at this point in the history 
…pache#13354)"

This reverts commit 3c0f869.
  • Loading branch information
@nicoloboschi
nicoloboschi committed Jun 1, 2022
1 parent e363fb6 commit 146ad92
Show file tree
Hide file tree
Showing 15 changed files with 33 additions and 298 deletions.
10 changes: 0 additions & 10 deletions conf/broker.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,16 +37,6 @@ webServicePort=8080
# Port to use to server HTTPS request - By default TLS is disabled
webServicePortTls=

# Specify the tls protocols the broker's web service will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
# Examples:- [TLSv1.3, TLSv1.2]
webServiceTlsProtocols=

# Specify the tls cipher the broker will use to negotiate during TLS Handshake
# (a comma-separated list of ciphers).
# Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
webServiceTlsCiphers=

# Hostname or IP address the service binds on, default is 0.0.0.0.
bindAddress=0.0.0.0

Expand Down
10 changes: 0 additions & 10 deletions conf/proxy.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,16 +102,6 @@ tlsTrustStore=
# TLS TrustStore password in proxy, default value is empty password
tlsTrustStorePassword=

# Specify the tls protocols the proxy's web service will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
# Examples:- [TLSv1.3, TLSv1.2]
webServiceTlsProtocols=

# Specify the tls cipher the proxy will use to negotiate during TLS Handshake
# (a comma-separated list of ciphers).
# Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
webServiceTlsCiphers=

# Path for the file used to determine the rotation status for the proxy instance when responding
# to service discovery health checks
statusFilePath=
Expand Down
14 changes: 0 additions & 14 deletions pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,20 +142,6 @@ public class ServiceConfiguration implements PulsarConfiguration {
)
private Optional<Integer> webServicePortTls = Optional.empty();

@FieldContext(
category = CATEGORY_TLS,
doc = "Specify the tls protocols the proxy's web service will use to negotiate during TLS Handshake.\n\n"
+ "Example:- [TLSv1.3, TLSv1.2]"
)
private Set<String> webServiceTlsProtocols = new TreeSet<>();

@FieldContext(
category = CATEGORY_TLS,
doc = "Specify the tls cipher the proxy's web service will use to negotiate during TLS Handshake.\n\n"
+ "Example:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]"
)
private Set<String> webServiceTlsCiphers = new TreeSet<>();

@FieldContext(
category = CATEGORY_SERVER,
doc = "Hostname or IP address the service binds on"
Expand Down
2 changes: 0 additions & 2 deletions pulsar-broker/src/main/java/org/apache/pulsar/broker/web/WebService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,6 @@ public WebService(PulsarService pulsar) throws PulsarServerException {
config.getTlsTrustStore(),
config.getTlsTrustStorePassword(),
config.isTlsRequireTrustedClientCertOnConnect(),
config.getWebServiceTlsCiphers(),
config.getWebServiceTlsProtocols(),
config.getTlsCertRefreshCheckDurationSec()
);
} else {
Expand Down
14 changes: 0 additions & 14 deletions pulsar-common/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,20 +168,6 @@
<optional>true</optional>
</dependency>

<!-- test -->
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-server</artifactId>
<scope>test</scope>
</dependency>

<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
<version>${bouncycastlefips.version}</version>
<scope>test</scope>
</dependency>

<dependency>
<groupId>org.lz4</groupId>
<artifactId>lz4-java</artifactId>
Expand Down
32 changes: 14 additions & 18 deletions ...ar-common/src/main/java/org/apache/pulsar/common/util/keystoretls/KeyStoreSSLContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,8 +256,7 @@ public static KeyStoreSSLContext createServerKeyStoreSslContext(String sslProvid
return keyStoreSSLContext;
}

// the web server only use this method to get SSLContext, it won't use this to configure engine
// no need ciphers and protocols
// for web server use case, no need ciphers and protocols
public static SSLContext createServerSslContext(String sslProviderString,
String keyStoreTypeString,
String keyStorePath,
Expand Down Expand Up @@ -336,19 +335,18 @@ public static SSLContext createClientSslContext(String keyStoreTypeString,
}

// for web server. autoRefresh is default true.
public static SslContextFactory.Server createSslContextFactory(String sslProviderString,
String keyStoreTypeString,
String keyStore,
String keyStorePassword,
boolean allowInsecureConnection,
String trustStoreTypeString,
String trustStore,
String trustStorePassword,
boolean requireTrustedClientCertOnConnect,
Set<String> ciphers,
Set<String> protocols,
long certRefreshInSec) {
SslContextFactory.Server sslCtxFactory;
public static SslContextFactory createSslContextFactory(String sslProviderString,
String keyStoreTypeString,
String keyStore,
String keyStorePassword,
boolean allowInsecureConnection,
String trustStoreTypeString,
String trustStore,
String trustStorePassword,
boolean requireTrustedClientCertOnConnect,
long certRefreshInSec)
throws GeneralSecurityException, IOException {
SslContextFactory sslCtxFactory;

if (sslProviderString == null) {
Provider provider = SecurityUtility.CONSCRYPT_PROVIDER;
Expand All @@ -357,7 +355,7 @@ public static SslContextFactory.Server createSslContextFactory(String sslProvide
}
}

sslCtxFactory = new JettySslContextFactoryWithAutoRefresh(
sslCtxFactory = new SslContextFactoryWithAutoRefresh(
sslProviderString,
keyStoreTypeString,
keyStore,
Expand All @@ -367,8 +365,6 @@ public static SslContextFactory.Server createSslContextFactory(String sslProvide
trustStore,
trustStorePassword,
requireTrustedClientCertOnConnect,
ciphers,
protocols,
certRefreshInSec);

if (requireTrustedClientCertOnConnect) {
Expand Down
4 changes: 3 additions & 1 deletion ...-common/src/main/java/org/apache/pulsar/common/util/keystoretls/NetSslContextBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,11 @@
*/
package org.apache.pulsar.common.util.keystoretls;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import org.apache.pulsar.common.util.FileModifiedTimeUpdater;
import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;

Expand Down Expand Up @@ -68,7 +70,7 @@ public NetSslContextBuilder(String sslProviderString,

@Override
public synchronized SSLContext update()
throws GeneralSecurityException, IOException {
throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
this.sslContext = KeyStoreSSLContext.createServerSslContext(tlsProvider,
tlsKeyStoreType, tlsKeyStore.getFileName(), tlsKeyStorePassword,
tlsAllowInsecureConnection,
Expand Down
37 changes: 16 additions & 21 deletions ...ettySslContextFactoryWithAutoRefresh.java → ...tls/SslContextFactoryWithAutoRefresh.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,29 +18,30 @@
*/
package org.apache.pulsar.common.util.keystoretls;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import org.eclipse.jetty.util.ssl.SslContextFactory;

import java.util.Set;

/**
* SslContextFactoryWithAutoRefresh that create SSLContext for web server, and refresh in time.
*/
public class JettySslContextFactoryWithAutoRefresh extends SslContextFactory.Server {
public class SslContextFactoryWithAutoRefresh extends SslContextFactory {
private final NetSslContextBuilder sslCtxRefresher;

public JettySslContextFactoryWithAutoRefresh(String sslProviderString,
String keyStoreTypeString,
String keyStore,
String keyStorePassword,
boolean allowInsecureConnection,
String trustStoreTypeString,
String trustStore,
String trustStorePassword,
boolean requireTrustedClientCertOnConnect,
Set<String> ciphers,
Set<String> protocols,
long certRefreshInSec) {
public SslContextFactoryWithAutoRefresh(String sslProviderString,
String keyStoreTypeString,
String keyStore,
String keyStorePassword,
boolean allowInsecureConnection,
String trustStoreTypeString,
String trustStore,
String trustStorePassword,
boolean requireTrustedClientCertOnConnect,
long certRefreshInSec)
throws SSLException, FileNotFoundException, GeneralSecurityException, IOException {
super();
sslCtxRefresher = new NetSslContextBuilder(
sslProviderString,
Expand All @@ -53,12 +54,6 @@ public JettySslContextFactoryWithAutoRefresh(String sslProviderString,
trustStorePassword,
requireTrustedClientCertOnConnect,
certRefreshInSec);
if (ciphers != null && ciphers.size() > 0) {
this.setIncludeCipherSuites(ciphers.toArray(new String[0]));
}
if (protocols != null && protocols.size() > 0) {
this.setIncludeProtocols(protocols.toArray(new String[0]));
}
if (sslProviderString != null) {
setProvider(sslProviderString);
}
Expand Down
Loading

0 comments on commit 146ad92

Please sign in to comment.