PakhomovAlexander commented on code in PR #1779:
URL: https://github.com/apache/ignite-3/pull/1779#discussion_r1134080944
##########
modules/runner/src/integrationTest/java/org/apache/ignite/internal/ssl/ItSslTest.java:
##########
@@ -250,6 +253,148 @@ void jdbcCanConnectWithSsl() throws SQLException {
}
}
+ @Nested
+ @DisplayName("Given SSL enabled on the cluster and specific cipher
enabled")
+ class ClusterWithSslCustomCipher {
+
+ @Language("JSON")
+ String sslEnabledWithCipherBoostrapConfig = "{\n"
+ + " network: {\n"
+ + " ssl : {"
+ + " enabled: true,\n"
+ + " ciphers: TLS_AES_256_GCM_SHA384,\n"
+ + " trustStore: {\n"
+ + " password: \"" + password + "\","
+ + " path: \"" + escapeWindowsPath(trustStorePath) + "\""
+ + " },\n"
+ + " keyStore: {\n"
+ + " password: \"" + password + "\","
+ + " path: \"" + escapeWindowsPath(keyStorePath) + "\""
+ + " }\n"
+ + " },\n"
+ + " port: 3345,\n"
+ + " portRange: 2,\n"
+ + " nodeFinder:{\n"
+ + " netClusterNodes: [ \"localhost:3345\",
\"localhost:3346\" ]\n"
+ + " }\n"
+ + " },\n"
+ + " clientConnector.ssl: {\n"
+ + " enabled: true, "
Review Comment:
Shouldn't we configure `ciphers: TLS_AES_256_GCM_SHA384` for
`clientConnector.ssl`?
##########
modules/network/src/main/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.java:
##########
@@ -73,4 +85,22 @@ private static void
validateKeyStore(ValidationContext<AbstractSslView> ctx, Str
}
}
}
+
+ private static void validateCiphers(ValidationContext<AbstractSslView>
ctx, AbstractSslView ssl) {
+ try {
+ SslContext context = SslContextBuilder.forClient().build();
+ Set<String> supported =
Arrays.stream(context.newEngine(ByteBufAllocator.DEFAULT).getSupportedCipherSuites())
+ .filter(Objects::nonNull) // OpenSSL engine returns null
string in the array so we need to filter them out
+ .collect(Collectors.toSet());
+ Set<String> ciphers = Arrays.stream(ssl.ciphers().split(","))
+ .map(String::strip)
+ .collect(Collectors.toSet());
+ if (!supported.containsAll(ciphers)) {
+ ciphers.removeAll(supported);
+ ctx.addIssue(new ValidationIssue(ctx.currentKey(), "There are
unsupported cipher suites: " + ciphers));
+ }
+ } catch (SSLException e) {
+ ctx.addIssue(new ValidationIssue(ctx.currentKey(), "Can't create
SSL engine"));
Review Comment:
I think we need to log the exception here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
