DRILL-8177: Bump default TLS version to 1.3 (#2505)
* Bump default TLS version to 1.3. Fix web server log
* Change TLS version in tests. Change value of TLS constants
diff --git a/distribution/src/main/resources/drill-override-example.conf b/distribution/src/main/resources/drill-override-example.conf
index 034307b..35fcb1c 100644
--- a/distribution/src/main/resources/drill-override-example.conf
+++ b/distribution/src/main/resources/drill-override-example.conf
@@ -335,10 +335,10 @@
keyPassword: "key_passwd",
#Optional handshakeTimeout in milliseconds. Default is 10000 ms (10 seconds)
handshakeTimeout: 10000,
- #protocol is optional. Drill will default to TLSv1.2. Valid values depend on protocol versions
+ #protocol is optional. Drill will default to TLSv1.3. Valid values depend on protocol versions
# enabled for tje underlying securrity provider. For JSSE these are : SSL, SSLV2, SSLV3,
- # TLS, TLSV1, TLSv1.1, TLSv1.2
- protocol: "TLSv1.2",
+ # TLS, TLSV1, TLSv1.1, TLSv1.2, TLSv1.3
+ protocol: "TLSv1.3",
#ssl provider. May be "JDK" or "OPENSSL". Default is "JDK"
provider: "JDK"
}
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/ExecConstants.java b/exec/java-exec/src/main/java/org/apache/drill/exec/ExecConstants.java
index 1ca51bc..3351869 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/ExecConstants.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/ExecConstants.java
@@ -197,7 +197,7 @@
new OptionDescription("Linearly reduces partition sender buffer row count after this number of receivers. Default is 0 (disabled). (Since Drill 1.18)"));
public static final String SSL_PROVIDER = "drill.exec.ssl.provider"; // valid values are "JDK", "OPENSSL" // default JDK
- public static final String SSL_PROTOCOL = "drill.exec.ssl.protocol"; // valid values are SSL, SSLV2, SSLV3, TLS, TLSV1, TLSv1.1, TLSv1.2(default)
+ public static final String SSL_PROTOCOL = "drill.exec.ssl.protocol"; // valid values are SSL, SSLV2, SSLV3, TLS, TLSV1, TLSv1.1, TLSv1.2, TLSv1.3(default)
public static final String SSL_KEYSTORE_TYPE = "drill.exec.ssl.keyStoreType";
public static final String SSL_KEYSTORE_PATH = "drill.exec.ssl.keyStorePath"; // path to keystore. default : $JRE_HOME/lib/security/keystore.jks
public static final String SSL_KEYSTORE_PASSWORD = "drill.exec.ssl.keyStorePassword"; // default: changeit
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfigurator.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfigurator.java
index 7da5465..3a74549 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfigurator.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfigurator.java
@@ -94,7 +94,6 @@
}
}
sslFactory.setIncludeProtocols(sslConf.getProtocol());
- logger.info("Web server configured to use TLS protocol '{}'", sslConf.getProtocol());
if (config.hasPath(ExecConstants.HTTP_JETTY_SSL_CONTEXT_FACTORY_OPTIONS_PREFIX)) {
setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_CERT_ALIAS, sslFactory::setCertAlias);
setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_CRL_PATH, sslFactory::setCrlPath);
@@ -126,6 +125,7 @@
setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_VALIDATE_PEER_CERTS, sslFactory::setValidatePeerCerts);
setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_WANT_CLIENT_AUTH, sslFactory::setWantClientAuth);
}
+ logger.info("Web server configured to use TLS protocol '{}'", String.join(", ", sslFactory.getIncludeProtocols()));
}
private void setStringArrayIfPresent(String optKey, Consumer<String[]> optSet) {
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfig.java b/exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfig.java
index e82bbdf..0564e10 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfig.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/ssl/SSLConfig.java
@@ -41,7 +41,7 @@
private static final Logger logger = LoggerFactory.getLogger(SSLConfig.class);
public static final String DEFAULT_SSL_PROVIDER = "JDK"; // JDK or OPENSSL
- public static final String DEFAULT_SSL_PROTOCOL = "TLSv1.2";
+ public static final String DEFAULT_SSL_PROTOCOL = "TLSv1.3";
public static final int DEFAULT_SSL_HANDSHAKE_TIMEOUT_MS = 10 * 1000; // 10 seconds
// Either the Netty SSL context or the JDK SSL context will be initialized
diff --git a/exec/java-exec/src/main/resources/drill-module.conf b/exec/java-exec/src/main/resources/drill-module.conf
index fa67fd1..56b1515 100644
--- a/exec/java-exec/src/main/resources/drill-module.conf
+++ b/exec/java-exec/src/main/resources/drill-module.conf
@@ -210,7 +210,7 @@
trustStorePassword = ${?javax.net.ssl.trustStorePassword}
# default key password to keystore password
keyPassword = ${?javax.net.ssl.keyStorePassword},
- protocol: "TLSv1.2",
+ protocol: "TLSv1.3",
# if true, then Drill will read SSL parameters from the
# Hadoop configuration files.
useHadoopConfig : true,
diff --git a/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSL.java b/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSL.java
index e99bc1e..3e82419 100644
--- a/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSL.java
+++ b/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSL.java
@@ -76,7 +76,7 @@
.withValue(ExecConstants.SSL_TRUSTSTORE_PASSWORD,
ConfigValueFactory.fromAnyRef("drill123"))
.withValue(ExecConstants.SSL_PROTOCOL,
- ConfigValueFactory.fromAnyRef("TLSv1.2")));
+ ConfigValueFactory.fromAnyRef("TLSv1.3")));
initProps = new Properties();
initProps.setProperty(DrillProperties.ENABLE_TLS, "true");
@@ -252,7 +252,7 @@
.withValue(ExecConstants.SSL_KEYSTORE_TYPE, ConfigValueFactory.fromAnyRef("JKS"))
.withValue(ExecConstants.SSL_KEYSTORE_PATH, ConfigValueFactory.fromAnyRef(keyStorePath))
.withValue(ExecConstants.SSL_KEYSTORE_PASSWORD, ConfigValueFactory.fromAnyRef("test_password"))
- .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.2")));
+ .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.3")));
updateTestCluster(1, sslConfig, connectionProps);
@@ -297,7 +297,7 @@
.withValue(ExecConstants.SSL_KEYSTORE_TYPE, ConfigValueFactory.fromAnyRef("JKS"))
.withValue(ExecConstants.SSL_KEYSTORE_PATH, ConfigValueFactory.fromAnyRef(unknownKsPath))
.withValue(ExecConstants.SSL_KEYSTORE_PASSWORD, ConfigValueFactory.fromAnyRef("drill123"))
- .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.2")));
+ .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.3")));
updateTestCluster(1, sslConfig, connectionProps);
@@ -325,7 +325,7 @@
.withValue(ExecConstants.SSL_KEYSTORE_TYPE, ConfigValueFactory.fromAnyRef("JKS"))
.withValue(ExecConstants.SSL_KEYSTORE_PATH, ConfigValueFactory.fromAnyRef(unknownKsPath))
.withValue(ExecConstants.SSL_KEYSTORE_PASSWORD, ConfigValueFactory.fromAnyRef("drill123"))
- .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.2")));
+ .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.3")));
updateTestCluster(1, sslConfig, connectionProps);
diff --git a/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSLServer.java b/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSLServer.java
index 3d71146..5cadf89 100644
--- a/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSLServer.java
+++ b/exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestUserBitSSLServer.java
@@ -52,7 +52,7 @@
.withValue(ExecConstants.SSL_KEYSTORE_PATH, ConfigValueFactory.fromAnyRef(ksPath))
.withValue(ExecConstants.SSL_KEYSTORE_PASSWORD, ConfigValueFactory.fromAnyRef("drill123"))
.withValue(ExecConstants.SSL_KEY_PASSWORD, ConfigValueFactory.fromAnyRef("drill123"))
- .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.2")));
+ .withValue(ExecConstants.SSL_PROTOCOL, ConfigValueFactory.fromAnyRef("TLSv1.3")));
initProps = new Properties();
initProps.setProperty(DrillProperties.ENABLE_TLS, "true");
initProps.setProperty(DrillProperties.TRUSTSTORE_PATH, tsPath);
diff --git a/exec/java-exec/src/test/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfiguratorTest.java b/exec/java-exec/src/test/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfiguratorTest.java
index 6a184fb..f7dbdd7 100644
--- a/exec/java-exec/src/test/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfiguratorTest.java
+++ b/exec/java-exec/src/test/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfiguratorTest.java
@@ -42,7 +42,7 @@
public static void setUpClass() throws Exception {
ClusterFixtureBuilder fixtureBuilder = ClusterFixture.builder(dirTestWatcher)
// imitate proper ssl config for embedded web
- .configProperty(ExecConstants.SSL_PROTOCOL, "TLSv1.2")
+ .configProperty(ExecConstants.SSL_PROTOCOL, "TLSv1.3")
.configProperty(ExecConstants.HTTP_ENABLE_SSL, true)
.configProperty(ExecConstants.HTTP_TRUSTSTORE_PATH, "/tmp/ssl/cacerts.jks")
.configProperty(ExecConstants.HTTP_TRUSTSTORE_PASSWORD, "passphrase")
