Skip to content

Commit

Permalink
Add static override for JDK TLS disabled/legacy algorithms in Java co…
Browse files Browse the repository at this point in the history
…ntainer (#24619)

* Adding jdk.tls security property options to java containers

* Update CHANGES.md

remove whitespace line endings

* Fix invalid copy task configuration

* Adding license to TLS properties files

* Added bugfix description and link to CHANGES.md for #24623

* Renaming to match global implications for security properties override as TLS configs are not the only properties that can be changed

* Add license

* Add license

* Adding TLS-enabled check to SdkHarnessEnvironment tests

* Update sdks/java/container/java11/option-java11-security.json

Co-authored-by: Kiley Sok <[email protected]>

* Adjusting version fallback specification for Java

* Making suggested fixes

* Fixing indentation

* Adding SSLContext check to TLS availability test

* Making suggested improvements to test

* Removing exception imports no longer needed

* Remove whitespace and erroneous context null initialization

* Fix typo

* Update sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java

Co-authored-by: Lukasz Cwik <[email protected]>

* Fix spotless java precommit formatting error

Co-authored-by: Kiley Sok <[email protected]>
Co-authored-by: Lukasz Cwik <[email protected]>
  • Loading branch information
3 people authored Jan 5, 2023
1 parent 37c7bee commit 0e9fe07
Show file tree
Hide file tree
Showing 9 changed files with 220 additions and 2 deletions.
4 changes: 4 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@

* RunInference Wrapper with Sklearn Model Handler support added in Go SDK ([#24497](https://github.com/apache/beam/issues/23382)).
* X feature added (Java/Python) ([#X](https://github.com/apache/beam/issues/X)).
* Adding override of allowed TLS algorithms (Java), now maintaining the disabled/legacy algorithms
present in 2.43.0 (up to 1.8.0_342, 11.0.16, 17.0.2 for respective Java versions). This is accompanied
by an explicit re-enabling of TLSv1 and TLSv1.1 for Java 8 and Java 11.

## Breaking Changes

Expand All @@ -81,6 +84,7 @@
## Bugfixes

* Avoids Cassandra syntax error when user-defined query has no where clause in it (Java) ([#24829](https://github.com/apache/beam/issues/24829)).
* Fixed JDBC connection failures (Java) during handshake due to deprecated TLSv1(.1) protocol for the JDK. ([#24623](https://github.com/apache/beam/issues/24623))

## Known Issues

Expand Down
6 changes: 4 additions & 2 deletions sdks/java/container/common.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,10 @@ task copyGolangLicenses(type: Copy) {
task copyJdkOptions(type: Copy) {
if (imageJavaVersion == "17" || imageJavaVersion == "11") {
from "option-jamm.json"
into "build/target/options"
}
from "java${imageJavaVersion}-security.properties"
from "option-java${imageJavaVersion}-security.json"
into "build/target/options"
}

task skipPullLicenses(type: Exec) {
Expand Down Expand Up @@ -129,4 +131,4 @@ dockerPrepare.dependsOn copySdkHarnessLauncher
dockerPrepare.dependsOn copyDockerfileDependencies
dockerPrepare.dependsOn ":sdks:java:container:downloadCloudProfilerAgent"
dockerPrepare.dependsOn copyJdkOptions
dockerPrepare.dependsOn validateJavaHome
dockerPrepare.dependsOn validateJavaHome
47 changes: 47 additions & 0 deletions sdks/java/container/java11/java11-security.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Java 11 java.security properties file override for JVM
# base properties derived from:
# openjdk version "11.0.16" 2022-07-19
# OpenJDK Runtime Environment 18.9 (build 11.0.16+8)
# OpenJDK 64-Bit Server VM 18.9 (build 11.0.16+8, mixed mode, sharing)

# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
# legacy algorithms list to allow it to be used if something better is not
# available (e.g. TLSv1.2). This will prevent breakages for existing users
# (for example JDBC with MySQL). See
# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
# for additional details.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC, TLSv1, TLSv1.1

# /dev/random blocks in virtualized environments due to lack of
# good entropy sources, which makes SecureRandom use impractical.
# In particular, that affects the performance of HTTPS that relies
# on SecureRandom.
#
# Due to that, /dev/urandom is used as the default.
#
# See http://www.2uo.de/myths-about-urandom/ for some background
# on security of /dev/urandom on Linux.
securerandom.source=file:/dev/./urandom
9 changes: 9 additions & 0 deletions sdks/java/container/java11/option-java11-security.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"name": "java-security",
"enabled": true,
"options": {
"properties": {
"java.security.properties": "/opt/apache/beam/options/java11-security.properties"
}
}
}
47 changes: 47 additions & 0 deletions sdks/java/container/java17/java17-security.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Java 17 java.security properties file override for JVM
# base properties derived from:
# openjdk version "17.0.2" 2022-01-18
# OpenJDK Runtime Environment (build 17.0.2+8-86)
# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing)

# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
# legacy algorithms list to allow it to be used if something better is not
# available (e.g. TLSv1.2). This will prevent breakages for existing users
# (for example JDBC with MySQL). See
# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
# for additional details.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

# The raw value from 17.0.2 for legacyAlgorithms is
# NULL, anon, RC4, DES, 3DES_EDE_CBC
# Because these values are in disabledAlgorithms, it is erroneous to include
# them in legacy (they are disabled in Java 8 and Java 11 as well). Here we
# only include TLSv1 and TLSv1.1 which were removed from disabledAlgorithms
jdk.tls.legacyAlgorithms=TLSv1, TLSv1.1

# /dev/random blocks in virtualized environments due to lack of
# good entropy sources, which makes SecureRandom use impractical.
# In particular, that affects the performance of HTTPS that relies
# on SecureRandom.
#
# Due to that, /dev/urandom is used as the default.
#
# See http://www.2uo.de/myths-about-urandom/ for some background
# on security of /dev/urandom on Linux.
securerandom.source=file:/dev/./urandom
9 changes: 9 additions & 0 deletions sdks/java/container/java17/option-java17-security.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"name": "java-security",
"enabled": true,
"options": {
"properties": {
"java.security.properties": "/opt/apache/beam/options/java17-security.properties"
}
}
}
47 changes: 47 additions & 0 deletions sdks/java/container/java8/java8-security.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Java 8 java.security properties file override for JVM
# base properties derived from:
# openjdk version "1.8.0_342"
# OpenJDK Runtime Environment (build 1.8.0_342-b07)
# OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode)

# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the
# legacy algorithms list to allow it to be used if something better is not
# available (e.g. TLSv1.2). This will prevent breakages for existing users
# (for example JDBC with MySQL). See
# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343
# for additional details.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC, TLSv1, TLSv1.1

# /dev/random blocks in virtualized environments due to lack of
# good entropy sources, which makes SecureRandom use impractical.
# In particular, that affects the performance of HTTPS that relies
# on SecureRandom.
#
# Due to that, /dev/urandom is used as the default.
#
# See http://www.2uo.de/myths-about-urandom/ for some background
# on security of /dev/urandom on Linux.
securerandom.source=file:/dev/./urandom
9 changes: 9 additions & 0 deletions sdks/java/container/java8/option-java8-security.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"name": "java-security",
"enabled": true,
"options": {
"properties": {
"java.security.properties": "/opt/apache/beam/options/java8-security.properties"
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,12 @@

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.greaterThan;
import static org.hamcrest.Matchers.hasItemInArray;
import static org.hamcrest.Matchers.not;
import static org.junit.Assert.assertNotNull;

import java.security.Security;
import javax.net.ssl.SSLContext;
import org.apache.beam.sdk.coders.StringUtf8Coder;
import org.apache.beam.sdk.testing.PAssert;
import org.apache.beam.sdk.testing.TestPipeline;
Expand Down Expand Up @@ -66,4 +71,43 @@ public void testJammAgentAvailable() throws Exception {
PAssert.that(output).containsInAnyOrder("measured");
p.run().waitUntilFinish();
}

/** {@link DoFn} used to validate that TLS was enabled as part of java security properties. */
private static class TLSDoFn extends DoFn<String, String> {
@ProcessElement
public void processElement(ProcessContext c) throws Exception {
String[] disabledAlgorithms =
Security.getProperty("jdk.tls.disabledAlgorithms").trim().split("\\s*,\\s*");
String[] legacyAlgorithms =
Security.getProperty("jdk.tls.legacyAlgorithms").trim().split("\\s*,\\s*");
assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1")));
assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1.1")));
assertThat(legacyAlgorithms, hasItemInArray("TLSv1"));
assertThat(legacyAlgorithms, hasItemInArray("TLSv1.1"));

// getDefaultSSLParameters() shows all protocols that JSSE implements that are allowed.
// getSupportedSSLParameters() shows all protocols that JSSE implements including those that
// are disabled.
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, null, null);
assertNotNull(context);
String[] defaultProtocols = context.getDefaultSSLParameters().getProtocols();
assertThat(defaultProtocols, hasItemInArray("TLSv1"));
assertThat(defaultProtocols, hasItemInArray("TLSv1.1"));

c.output("TLSv1-TLSv1.1 enabled");
}
}

@Test
@Category({ValidatesRunner.class, UsesSdkHarnessEnvironment.class})
public void testTlsAvailable() throws Exception {
PCollection<String> input = p.apply(Create.of("TLS").withCoder(StringUtf8Coder.of()));

PCollection<String> output = input.apply(ParDo.of(new TLSDoFn()));

PAssert.that(output).containsInAnyOrder("TLSv1-TLSv1.1 enabled");

p.run().waitUntilFinish();
}
}

0 comments on commit 0e9fe07

Please sign in to comment.