This is an automated email from the ASF dual-hosted git repository.
lizhimin pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/rocketmq.git
The following commit(s) were added to refs/heads/develop by this push:
new a2747dacbd [ISSUE #9769] Add tls.ciphers and tls.protocols in system
properties (#9770)
a2747dacbd is described below
commit a2747dacbd2228d94f8bd4c034a79ffcf94686ef
Author: carlvine500 <[email protected]>
AuthorDate: Wed Oct 22 16:19:18 2025 +0800
[ISSUE #9769] Add tls.ciphers and tls.protocols in system properties (#9770)
---
docs/cn/Configuration_TLS.md | 12 +++++++
.../proxy/remoting/MultiProtocolTlsHelper.java | 1 +
.../apache/rocketmq/remoting/netty/TlsHelper.java | 42 +++++++++++++++-------
.../rocketmq/remoting/netty/TlsSystemConfig.java | 21 +++++++++++
4 files changed, 64 insertions(+), 12 deletions(-)
diff --git a/docs/cn/Configuration_TLS.md b/docs/cn/Configuration_TLS.md
index 9ff03e53a2..46daf5d3ef 100644
--- a/docs/cn/Configuration_TLS.md
+++ b/docs/cn/Configuration_TLS.md
@@ -52,6 +52,10 @@ tls.server.certPath=/opt/certFiles/server.pem
tls.server.authClient=false
# The store path of trusted certificates for verifying the client endpoint's
certificate
tls.server.trustCertPath=/opt/certFiles/ca.pem
+# The ciphers in TLS
+#
tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+# The protocols in TLS
+# tls.protocols=TLSv1.2,TLSv1.3
```
如果需要客户端连接时也进行认证,则还需要在该文件中增加以下内容
@@ -66,6 +70,10 @@ tls.client.certPath=/opt/certFiles/client.pem
tls.client.authServer=false
# The store path of trusted certificates for verifying the server endpoint's
certificate
tls.client.trustCertPath=/opt/certFiles/ca.pem
+# The ciphers in TLS
+#
tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+# The protocols in TLS
+# tls.protocols=TLSv1.2,TLSv1.3
```
@@ -96,6 +104,10 @@ tls.client.keyPassword=123456
tls.client.certPath=/opt/certFiles/client.pem
# The store path of trusted certificates for verifying the server endpoint's
certificate
tls.client.trustCertPath=/opt/certFiles/ca.pem
+# The ciphers in TLS
+#
tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+# The protocols in TLS
+# tls.protocols=TLSv1.2,TLSv1.3
```
JVM中需要加以下参数.tls.config.file的值需要使用之前创建的文件:
diff --git
a/proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java
b/proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java
index b874e8351d..913681ff69 100644
---
a/proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java
+++
b/proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java
@@ -94,6 +94,7 @@ public class MultiProtocolTlsHelper extends TlsHelper {
ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
ApplicationProtocolNames.HTTP_2));
+ moreTlsConfig(sslContextBuilder);
return sslContextBuilder.build();
}
diff --git
a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java
b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java
index d7a8dfb22c..81a4a44978 100644
--- a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java
+++ b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java
@@ -29,16 +29,19 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
+import java.util.Arrays;
import java.util.Properties;
import org.apache.rocketmq.common.constant.LoggerName;
import org.apache.rocketmq.logging.org.slf4j.Logger;
import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CIPHERS;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_AUTHSERVER;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_CERTPATH;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_KEYPASSWORD;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_KEYPATH;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_TRUSTCERTPATH;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_PROTOCOLS;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_AUTHCLIENT;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_CERTPATH;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_KEYPASSWORD;
@@ -46,11 +49,13 @@ import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_KEYP
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_NEED_CLIENT_AUTH;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_TRUSTCERTPATH;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_TEST_MODE_ENABLE;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsCiphers;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientAuthServer;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientCertPath;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientKeyPassword;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientKeyPath;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientTrustCertPath;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsProtocols;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerAuthClient;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerCertPath;
import static
org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerKeyPassword;
@@ -102,15 +107,15 @@ public class TlsHelper {
LOGGER.info("Using JDK SSL provider");
}
+ SslContextBuilder sslContextBuilder = null;
if (forClient) {
if (tlsTestModeEnable) {
- return SslContextBuilder
+ sslContextBuilder = SslContextBuilder
.forClient()
.sslProvider(SslProvider.JDK)
- .trustManager(InsecureTrustManagerFactory.INSTANCE)
- .build();
+ .trustManager(InsecureTrustManagerFactory.INSTANCE);
} else {
- SslContextBuilder sslContextBuilder =
SslContextBuilder.forClient().sslProvider(SslProvider.JDK);
+ sslContextBuilder =
SslContextBuilder.forClient().sslProvider(SslProvider.JDK);
if (!tlsClientAuthServer) {
@@ -121,23 +126,21 @@ public class TlsHelper {
}
}
- return sslContextBuilder.keyManager(
+ sslContextBuilder = sslContextBuilder.keyManager(
!isNullOrEmpty(tlsClientCertPath) ? new
FileInputStream(tlsClientCertPath) : null,
!isNullOrEmpty(tlsClientKeyPath) ?
decryptionStrategy.decryptPrivateKey(tlsClientKeyPath, true) : null,
- !isNullOrEmpty(tlsClientKeyPassword) ?
tlsClientKeyPassword : null)
- .build();
+ !isNullOrEmpty(tlsClientKeyPassword) ?
tlsClientKeyPassword : null);
}
} else {
if (tlsTestModeEnable) {
SelfSignedCertificate selfSignedCertificate = new
SelfSignedCertificate();
- return SslContextBuilder
+ sslContextBuilder = SslContextBuilder
.forServer(selfSignedCertificate.certificate(),
selfSignedCertificate.privateKey())
.sslProvider(provider)
- .clientAuth(ClientAuth.OPTIONAL)
- .build();
+ .clientAuth(ClientAuth.OPTIONAL);
} else {
- SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(
+ sslContextBuilder = SslContextBuilder.forServer(
!isNullOrEmpty(tlsServerCertPath) ? new
FileInputStream(tlsServerCertPath) : null,
!isNullOrEmpty(tlsServerKeyPath) ?
decryptionStrategy.decryptPrivateKey(tlsServerKeyPath, false) : null,
!isNullOrEmpty(tlsServerKeyPassword) ?
tlsServerKeyPassword : null)
@@ -152,11 +155,20 @@ public class TlsHelper {
}
sslContextBuilder.clientAuth(parseClientAuthMode(tlsServerNeedClientAuth));
- return sslContextBuilder.build();
}
}
+ moreTlsConfig(sslContextBuilder);
+ return sslContextBuilder.build();
}
+ protected static void moreTlsConfig(SslContextBuilder sslContextBuilder) {
+ if (tlsCiphers != null) {
+ sslContextBuilder.ciphers(Arrays.asList(tlsCiphers.split(",")));
+ }
+ if (tlsProtocols != null) {
+ sslContextBuilder.protocols(tlsProtocols.split(","));
+ }
+ }
private static void extractTlsConfigFromFile(final File configFile) {
if (!(configFile.exists() && configFile.isFile() &&
configFile.canRead())) {
LOGGER.info("Tls config file doesn't exist, skip it");
@@ -192,6 +204,9 @@ public class TlsHelper {
tlsClientCertPath = properties.getProperty(TLS_CLIENT_CERTPATH,
tlsClientCertPath);
tlsClientAuthServer =
Boolean.parseBoolean(properties.getProperty(TLS_CLIENT_AUTHSERVER,
String.valueOf(tlsClientAuthServer)));
tlsClientTrustCertPath =
properties.getProperty(TLS_CLIENT_TRUSTCERTPATH, tlsClientTrustCertPath);
+
+ tlsCiphers = properties.getProperty(TLS_CIPHERS, tlsCiphers);
+ tlsProtocols = properties.getProperty(TLS_PROTOCOLS, tlsProtocols);
}
private static void logTheFinalUsedTlsConfig() {
@@ -207,6 +222,9 @@ public class TlsHelper {
LOGGER.debug("{} = {}", TLS_CLIENT_CERTPATH, tlsClientCertPath);
LOGGER.debug("{} = {}", TLS_CLIENT_AUTHSERVER, tlsClientAuthServer);
LOGGER.debug("{} = {}", TLS_CLIENT_TRUSTCERTPATH,
tlsClientTrustCertPath);
+
+ LOGGER.debug("{} = {}", TLS_CIPHERS, tlsCiphers);
+ LOGGER.debug("{} = {}", TLS_PROTOCOLS, tlsProtocols);
}
private static ClientAuth parseClientAuthMode(String authMode) {
diff --git
a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
index 403bd6c9a8..4056ea1f63 100644
---
a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
+++
b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
@@ -39,6 +39,9 @@ public class TlsSystemConfig {
public static final String TLS_CLIENT_AUTHSERVER = "tls.client.authServer";
public static final String TLS_CLIENT_TRUSTCERTPATH =
"tls.client.trustCertPath";
+ public static final String TLS_CIPHERS = "tls.ciphers";
+ public static final String TLS_PROTOCOLS = "tls.protocols";
+
/**
* To determine whether use SSL in client-side, include SDK client and
BrokerOuterAPI
@@ -122,4 +125,22 @@ public class TlsSystemConfig {
* except {@link TlsSystemConfig#tlsMode} and {@link
TlsSystemConfig#tlsEnable}
*/
public static String tlsConfigFile = System.getProperty(TLS_CONFIG_FILE,
"/etc/rocketmq/tls.properties");
+
+ /**
+ * The ciphers to be used in TLS
+ * <ol>
+ * <li>If null, use the default ciphers</li>
+ * <li>Otherwise, use the ciphers specified in this string, eg:
-Dtls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li>
+ * </ol>
+ */
+ public static String tlsCiphers = System.getProperty(TLS_CIPHERS, null);
+
+ /**
+ * The protocols to be used in TLS
+ * <ol>
+ * <li>If null, use the default protocols</li>
+ * <li>Otherwise, use the protocols specified in this string, eg:
-Dtls.protocols=TLSv1.2,TLSv1.3</li>
+ * </ol>
+ */
+ public static String tlsProtocols = System.getProperty(TLS_PROTOCOLS,
null);
}
