Repository: knox Updated Branches: refs/heads/master d268487cc -> 06a61b602
KNOX-566 - Make the Default Ephemeral DH Key Size 2048 for TLS Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/06a61b60 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/06a61b60 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/06a61b60 Branch: refs/heads/master Commit: 06a61b602363b4e86fd2e0fcbdc8284ddfd70230 Parents: d268487 Author: Larry McCay <lmc...@hortonworks.com> Authored: Wed Jul 15 16:54:13 2015 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Wed Jul 15 16:54:13 2015 -0400 ---------------------------------------------------------------------- .../hadoop/gateway/config/impl/GatewayConfigImpl.java | 9 +++++++++ .../gateway/services/security/impl/JettySSLService.java | 6 ++++-- .../org/apache/hadoop/gateway/config/GatewayConfig.java | 2 ++ .../java/org/apache/hadoop/gateway/GatewayTestConfig.java | 8 ++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java index 77fb792..e62f438 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/config/impl/GatewayConfigImpl.java @@ -111,6 +111,7 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { private static final String TRUSTSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".truststore.type"; private static final String KEYSTORE_TYPE = GATEWAY_CONFIG_FILE_PREFIX + ".keystore.type"; private static final String XFORWARDED_ENABLED = GATEWAY_CONFIG_FILE_PREFIX + ".xforwarded.enabled"; + private static final String EPHEMERAL_DH_KEY_SIZE = GATEWAY_CONFIG_FILE_PREFIX + ".jdk.tls.ephemeralDHKeySize"; // These config property names are not inline with the convention of using the // GATEWAY_CONFIG_FILE_PREFIX as is done by those above. These are left for @@ -436,4 +437,12 @@ public class GatewayConfigImpl extends Configuration implements GatewayConfig { String xForwardedEnabled = get( XFORWARDED_ENABLED, "true" ); return "true".equals(xForwardedEnabled); } + + /* (non-Javadoc) + * @see org.apache.hadoop.gateway.config.GatewayConfig#getEphemeralDHKeySize() + */ + @Override + public String getEphemeralDHKeySize() { + return get( EPHEMERAL_DH_KEY_SIZE, "2048"); + } } http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java index f2facee..58a699f 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java @@ -43,11 +43,11 @@ import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; import org.eclipse.jetty.util.ssl.SslContextFactory; public class JettySSLService implements SSLService { - private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase"; + private static final String EPHEMERAL_DH_KEY_SIZE_PROPERTY = "jdk.tls.ephemeralDHKeySize"; private static final String GATEWAY_TRUSTSTORE_PASSWORD = "gateway-truststore-password"; private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway"; private static GatewayMessages log = MessagesFactory.get( GatewayMessages.class ); - + private MasterService ms; private KeystoreService ks; private AliasService as; @@ -74,6 +74,8 @@ public class JettySSLService implements SSLService { @Override public void init(GatewayConfig config, Map<String, String> options) throws ServiceLifecycleException { + // set any JSSE or security related system properties + System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, config.getEphemeralDHKeySize()); try { if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) { log.creatingCredentialStoreForGateway(); http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java index 0494bb8..6363ce4 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/config/GatewayConfig.java @@ -104,4 +104,6 @@ public interface GatewayConfig { String getTruststoreType(); boolean isXForwardedEnabled(); + + String getEphemeralDHKeySize(); } http://git-wip-us.apache.org/repos/asf/knox/blob/06a61b60/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java ---------------------------------------------------------------------- diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java index 3940474..1da75b0 100644 --- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java +++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayTestConfig.java @@ -250,4 +250,12 @@ public class GatewayTestConfig extends Configuration implements GatewayConfig { public void setXForwardedEnabled(boolean enabled) { xForwardedEnabled = enabled; } + + /* (non-Javadoc) + * @see org.apache.hadoop.gateway.config.GatewayConfig#getEphemeralDHKeySize() + */ + @Override + public String getEphemeralDHKeySize() { + return "2048"; + } }