[jira] [Work logged] (KNOX-2864) Make TLS protocol and cipher suites configurable with CM service discovery

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2864?focusedWorklogId=841455&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-841455
 ]

ASF GitHub Bot logged work on KNOX-2864:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Jan/23 22:40
            Start Date: 24/Jan/23 22:40
    Worklog Time Spent: 10m 
      Work Description: zeroflag commented on code in PR #717:
URL: https://github.com/apache/knox/pull/717#discussion_r1086015378


##########
gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/DiscoveryApiClient.java:
##########
@@ -157,12 +161,26 @@ private String getUsername() {
     return username;
   }
 
-  private void configureTruststore(KeystoreService keystoreService) {
-    SSLContext truststoreSSLContext = 
TruststoreSSLContextUtils.getTruststoreSSLContext(keystoreService);
+  private void configureSsl(GatewayConfig gatewayConfig, KeyStore trustStore) {
+    final SSLContext truststoreSSLContext = 
TruststoreSSLContextUtils.getTruststoreSSLContext(trustStore);
+
     if (truststoreSSLContext != null) {
+      final ConnectionSpec.Builder connectionSpecBuilder = new 
ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS);
+      if (gatewayConfig.getIncludedSSLCiphers().isEmpty()) {

Review Comment:
   I might miss something but I don't see how is this enforced. What if there 
is no `SSL_INCLUDE_CIPHERS` in the config?
   
   ```
     @Override
     public List<String> getIncludedSSLCiphers() {
       List<String> list = null;
       String value = get(SSL_INCLUDE_CIPHERS);
       if (value != null && !value.isEmpty() && 
!"none".equalsIgnoreCase(value.trim())) {
         list = Arrays.asList(value.trim().split("\\s*,\\s*"));
       }
       return list;
     }
   ```





Issue Time Tracking
-------------------

    Worklog Id:     (was: 841455)
    Time Spent: 40m  (was: 0.5h)

> Make TLS protocol and cipher suites configurable with CM service discovery
> --------------------------------------------------------------------------
>
>                 Key: KNOX-2864
>                 URL: https://issues.apache.org/jira/browse/KNOX-2864
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: cm-discovery, Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> The goal of this Jira is to guarantee:
>  * Knox picks up defaults in Java's {{java.security}} file in terms of 
> disabled algorithms as well as TLS protocols and cipher suites
>  * Also, we want these attributes to be configurable in the 
> [DiscoveryApiClient|https://github.com/apache/knox/blob/master/gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/DiscoveryApiClient.java]
>  class using the already existing gateway-level config.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)