From f5683beada1a5c7bd644fe8cf4ba6d77c5ffd05d Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Fri, 9 Dec 2022 15:26:04 +0000 Subject: [PATCH 01/20] Adding jdk.tls security property options to java containers --- sdks/java/container/common.gradle | 5 +++++ .../container/java11/jdk11-tls.properties | 20 +++++++++++++++++ sdks/java/container/java11/option-tls-11.json | 10 +++++++++ .../container/java17/jdk17-tls.properties | 14 ++++++++++++ sdks/java/container/java17/option-tls-17.json | 10 +++++++++ sdks/java/container/java8/jdk8-tls.properties | 22 +++++++++++++++++++ sdks/java/container/java8/option-tls-8.json | 10 +++++++++ 7 files changed, 91 insertions(+) create mode 100644 sdks/java/container/java11/jdk11-tls.properties create mode 100644 sdks/java/container/java11/option-tls-11.json create mode 100644 sdks/java/container/java17/jdk17-tls.properties create mode 100644 sdks/java/container/java17/option-tls-17.json create mode 100644 sdks/java/container/java8/jdk8-tls.properties create mode 100644 sdks/java/container/java8/option-tls-8.json diff --git a/sdks/java/container/common.gradle b/sdks/java/container/common.gradle index 265d14fbe9c7..9c28271de894 100644 --- a/sdks/java/container/common.gradle +++ b/sdks/java/container/common.gradle @@ -82,6 +82,11 @@ task copyJdkOptions(type: Copy) { from "option-jamm.json" into "build/target/options" } + + into("build/target/options") { + from "jdk${imageJavaVersion}-tls.properties" + from "option-tls-${imageJavaVersion}.json" + } } task skipPullLicenses(type: Exec) { diff --git a/sdks/java/container/java11/jdk11-tls.properties b/sdks/java/container/java11/jdk11-tls.properties new file mode 100644 index 000000000000..3ebac53f88ec --- /dev/null +++ b/sdks/java/container/java11/jdk11-tls.properties @@ -0,0 +1,20 @@ +# Java 11 java.security properties file override for JVM +# base properties derived from: +# openjdk 11.0.9 2020-10-20 +# OpenJDK Runtime Environment 18.9 (build 11.0.9+11) +# OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11, mixed mode) + +# New versions of Java have now disabled TLSv1 and TLSv1.1 +# +# To prevent breakages caused by the deprecation of algorithms during JDK +# updates, we are explictly passing an override to these properties +# to the JVM as a meta option. +jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ + EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + include jdk.disabled.namedCurves + +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC, \ + 3DES_EDE_CBC diff --git a/sdks/java/container/java11/option-tls-11.json b/sdks/java/container/java11/option-tls-11.json new file mode 100644 index 000000000000..8c482cac1d07 --- /dev/null +++ b/sdks/java/container/java11/option-tls-11.json @@ -0,0 +1,10 @@ +{ + "name": "tls", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/jdk11-tls.properties" + } + } + } + \ No newline at end of file diff --git a/sdks/java/container/java17/jdk17-tls.properties b/sdks/java/container/java17/jdk17-tls.properties new file mode 100644 index 000000000000..092c85848d3e --- /dev/null +++ b/sdks/java/container/java17/jdk17-tls.properties @@ -0,0 +1,14 @@ +# Java 17 java.security properties file override for JVM +# base properties derived from: +# openjdk 17.0.2 2022-01-18 +# OpenJDK Runtime Environment (build 17.0.2+8-86) +# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing) + +# New versions of Java have now disabled TLSv1 and TLSv1.1 +# +# To prevent breakages caused by the deprecation of algorithms during JDK +# updates, we are explictly passing an override to these properties +# to the JVM as a meta option. +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL +jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC diff --git a/sdks/java/container/java17/option-tls-17.json b/sdks/java/container/java17/option-tls-17.json new file mode 100644 index 000000000000..6b00c548e720 --- /dev/null +++ b/sdks/java/container/java17/option-tls-17.json @@ -0,0 +1,10 @@ +{ + "name": "tls", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/jdk17-tls.properties" + } + } + } + \ No newline at end of file diff --git a/sdks/java/container/java8/jdk8-tls.properties b/sdks/java/container/java8/jdk8-tls.properties new file mode 100644 index 000000000000..a8db49b2ad51 --- /dev/null +++ b/sdks/java/container/java8/jdk8-tls.properties @@ -0,0 +1,22 @@ +# Java 8 java.security properties file override for JVM +# base properties derived from: +# java version "1.8.0_151" +# Java(TM) SE Runtime Environment (build 1.8.0_151-b12) +# Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode) + +# New versions of Java have now disabled TLSv1 and TLSv1.1 +# +# To prevent breakages caused by the deprecation of algorithms during JDK +# updates, we are explictly passing an override to these properties +# to the JVM as a meta option. +# NOTE: GCM is explicitly disabled in Java 8 only, not in Java 11 or 17 +jdk.tls.disabledAlgorithms=SSLv3, GCM, RC4, MD5withRSA, DH keySize < 768, \ + EC keySize < 224 + +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ + DH_RSA_EXPORT, RSA_EXPORT, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC, \ + 3DES_EDE_CBC diff --git a/sdks/java/container/java8/option-tls-8.json b/sdks/java/container/java8/option-tls-8.json new file mode 100644 index 000000000000..390a410da50d --- /dev/null +++ b/sdks/java/container/java8/option-tls-8.json @@ -0,0 +1,10 @@ +{ + "name": "tls", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/jdk8-tls.properties" + } + } + } + \ No newline at end of file From dbcdec738695a470e4f211dca83385ea63c055af Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Fri, 9 Dec 2022 12:15:30 -0500 Subject: [PATCH 02/20] Update CHANGES.md remove whitespace line endings --- CHANGES.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index b1b76063a4e7..68a8ff96db94 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -63,10 +63,10 @@ ## New Features / Improvements * X feature added (Java/Python) ([#X](https://github.com/apache/beam/issues/X)). -* Adding override of allowed TLS algorithms (Java), now maintaining the disabled/legacy algorithms +* Adding override of allowed TLS algorithms (Java), now maintaining the disabled/legacy algorithms present in 2.43.0 (up to 1.8.0_151, 11.0.9, 17.0.2 for respective Java versions). This primarily - re-enables TLSv1 and TLSv1.1 for Java 8 and Java 11 by default, and gives control over this - property for JVMs in the future. + re-enables TLSv1 and TLSv1.1 for Java 8 and Java 11 by default, and gives control over this + property for JVMs in the future. ## Breaking Changes From 9b905a883ae199877c6dc362006847af2d6d6ed0 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Fri, 9 Dec 2022 12:30:29 -0500 Subject: [PATCH 03/20] Fix invalid copy task configuration --- sdks/java/container/common.gradle | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/sdks/java/container/common.gradle b/sdks/java/container/common.gradle index 9c28271de894..7aeaae4e01fb 100644 --- a/sdks/java/container/common.gradle +++ b/sdks/java/container/common.gradle @@ -80,13 +80,10 @@ task copyGolangLicenses(type: Copy) { task copyJdkOptions(type: Copy) { if (imageJavaVersion == "17" || imageJavaVersion == "11") { from "option-jamm.json" - into "build/target/options" - } - - into("build/target/options") { - from "jdk${imageJavaVersion}-tls.properties" - from "option-tls-${imageJavaVersion}.json" } + from "jdk${imageJavaVersion}-tls.properties" + from "option-tls-${imageJavaVersion}.json" + into "build/target/options" } task skipPullLicenses(type: Exec) { @@ -134,4 +131,4 @@ dockerPrepare.dependsOn copySdkHarnessLauncher dockerPrepare.dependsOn copyDockerfileDependencies dockerPrepare.dependsOn ":sdks:java:container:downloadCloudProfilerAgent" dockerPrepare.dependsOn copyJdkOptions -dockerPrepare.dependsOn validateJavaHome \ No newline at end of file +dockerPrepare.dependsOn validateJavaHome From 28d6530fb2a44b2dfec5ba29a54d88a5293a0cbc Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Fri, 9 Dec 2022 12:37:55 -0500 Subject: [PATCH 04/20] Adding license to TLS properties files --- sdks/java/container/java11/jdk11-tls.properties | 15 +++++++++++++++ sdks/java/container/java17/jdk17-tls.properties | 16 ++++++++++++++++ sdks/java/container/java8/jdk8-tls.properties | 15 +++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/sdks/java/container/java11/jdk11-tls.properties b/sdks/java/container/java11/jdk11-tls.properties index 3ebac53f88ec..fcf3b4ef01ec 100644 --- a/sdks/java/container/java11/jdk11-tls.properties +++ b/sdks/java/container/java11/jdk11-tls.properties @@ -1,3 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Java 11 java.security properties file override for JVM # base properties derived from: # openjdk 11.0.9 2020-10-20 diff --git a/sdks/java/container/java17/jdk17-tls.properties b/sdks/java/container/java17/jdk17-tls.properties index 092c85848d3e..aa7be8d278eb 100644 --- a/sdks/java/container/java17/jdk17-tls.properties +++ b/sdks/java/container/java17/jdk17-tls.properties @@ -1,3 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Java 17 java.security properties file override for JVM # base properties derived from: # openjdk 17.0.2 2022-01-18 @@ -11,4 +26,5 @@ # to the JVM as a meta option. jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL + jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC diff --git a/sdks/java/container/java8/jdk8-tls.properties b/sdks/java/container/java8/jdk8-tls.properties index a8db49b2ad51..36cb587c8ea2 100644 --- a/sdks/java/container/java8/jdk8-tls.properties +++ b/sdks/java/container/java8/jdk8-tls.properties @@ -1,3 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Java 8 java.security properties file override for JVM # base properties derived from: # java version "1.8.0_151" From 068f516d94fdc2d3b6f3bd3eb8ddacb35ee0be7f Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Fri, 9 Dec 2022 13:59:00 -0500 Subject: [PATCH 05/20] Added bugfix description and link to CHANGES.md for #24623 --- CHANGES.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES.md b/CHANGES.md index 68a8ff96db94..fe4930f56b92 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,6 +82,7 @@ ## Bugfixes * Fixed X (Java/Python) ([#X](https://github.com/apache/beam/issues/X)). +* Fixed JDBC connection failures (Java) during handshake due to deprecated TLSv1(.1) protocol for the JDK. ([#24623](https://github.com/apache/beam/issues/24623)) ## Known Issues From 0ec6ecb53da689ac894d9fd251d63e25b7de2307 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Tue, 13 Dec 2022 17:56:00 -0500 Subject: [PATCH 06/20] Renaming to match global implications for security properties override as TLS configs are not the only properties that can be changed --- sdks/java/container/common.gradle | 4 +-- .../java11/java11-security.properties | 29 +++++++++++++++ .../container/java11/jdk11-tls.properties | 35 ------------------- .../java11/option-java11-security.json | 10 ++++++ sdks/java/container/java11/option-tls-11.json | 10 ------ .../java17/java17-security.properties | 29 +++++++++++++++ .../container/java17/jdk17-tls.properties | 30 ---------------- .../java17/option-java17-security.json | 10 ++++++ sdks/java/container/java17/option-tls-17.json | 10 ------ ...s.properties => java8-security.properties} | 0 .../java8/option-java8-security.json | 10 ++++++ sdks/java/container/java8/option-tls-8.json | 10 ------ 12 files changed, 90 insertions(+), 97 deletions(-) create mode 100644 sdks/java/container/java11/java11-security.properties delete mode 100644 sdks/java/container/java11/jdk11-tls.properties create mode 100644 sdks/java/container/java11/option-java11-security.json delete mode 100644 sdks/java/container/java11/option-tls-11.json create mode 100644 sdks/java/container/java17/java17-security.properties delete mode 100644 sdks/java/container/java17/jdk17-tls.properties create mode 100644 sdks/java/container/java17/option-java17-security.json delete mode 100644 sdks/java/container/java17/option-tls-17.json rename sdks/java/container/java8/{jdk8-tls.properties => java8-security.properties} (100%) create mode 100644 sdks/java/container/java8/option-java8-security.json delete mode 100644 sdks/java/container/java8/option-tls-8.json diff --git a/sdks/java/container/common.gradle b/sdks/java/container/common.gradle index 7aeaae4e01fb..4886cd271d6c 100644 --- a/sdks/java/container/common.gradle +++ b/sdks/java/container/common.gradle @@ -81,8 +81,8 @@ task copyJdkOptions(type: Copy) { if (imageJavaVersion == "17" || imageJavaVersion == "11") { from "option-jamm.json" } - from "jdk${imageJavaVersion}-tls.properties" - from "option-tls-${imageJavaVersion}.json" + from "java${imageJavaVersion}-security.properties" + from "option-java${imageJavaVersion}-security.json" into "build/target/options" } diff --git a/sdks/java/container/java11/java11-security.properties b/sdks/java/container/java11/java11-security.properties new file mode 100644 index 000000000000..8eedb6bffe30 --- /dev/null +++ b/sdks/java/container/java11/java11-security.properties @@ -0,0 +1,29 @@ +# Java 11 java.security properties file override for JVM + +# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the +# legacy algorithms list to allow it to be used if something better is not +# available (e.g. TLSv1.2). This will prevent breakages for existing users +# (for example JDBC with MySQL). See +# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 +# for additional details. +# +# GCM is explicitly disabled in Java 8 only because it performs very +# poorly (https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20) +# GCM is not disabled in Java 11 or 17 (https://bugs.openjdk.java.net/browse/JDK-8046943) +# +# SSLv3 is explicitly disabled due to the potential for the POODLE attack. See +# https://www.cisa.gov/uscert/ncas/alerts/TA14-290A for additional details. +# +# remaining algorithms derived from: +# openjdk 11.0.9 2020-10-20 +# OpenJDK Runtime Environment 18.9 (build 11.0.9+11) +# OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11, mixed mode) +jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ + EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + include jdk.disabled.namedCurves + +jdk.tls.legacyAlgorithms= \ + K_NULL, C_NULL, M_NULL, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC, \ + 3DES_EDE_CBC, TLSv1, TLSv1.1 \ No newline at end of file diff --git a/sdks/java/container/java11/jdk11-tls.properties b/sdks/java/container/java11/jdk11-tls.properties deleted file mode 100644 index fcf3b4ef01ec..000000000000 --- a/sdks/java/container/java11/jdk11-tls.properties +++ /dev/null @@ -1,35 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Java 11 java.security properties file override for JVM -# base properties derived from: -# openjdk 11.0.9 2020-10-20 -# OpenJDK Runtime Environment 18.9 (build 11.0.9+11) -# OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11, mixed mode) - -# New versions of Java have now disabled TLSv1 and TLSv1.1 -# -# To prevent breakages caused by the deprecation of algorithms during JDK -# updates, we are explictly passing an override to these properties -# to the JVM as a meta option. -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ - include jdk.disabled.namedCurves - -jdk.tls.legacyAlgorithms= \ - K_NULL, C_NULL, M_NULL, \ - DH_anon, ECDH_anon, \ - RC4_128, RC4_40, DES_CBC, DES40_CBC, \ - 3DES_EDE_CBC diff --git a/sdks/java/container/java11/option-java11-security.json b/sdks/java/container/java11/option-java11-security.json new file mode 100644 index 000000000000..bcf66db00884 --- /dev/null +++ b/sdks/java/container/java11/option-java11-security.json @@ -0,0 +1,10 @@ +{ + "name": "java-securtiy", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java11-security.properties" + } + } + } + \ No newline at end of file diff --git a/sdks/java/container/java11/option-tls-11.json b/sdks/java/container/java11/option-tls-11.json deleted file mode 100644 index 8c482cac1d07..000000000000 --- a/sdks/java/container/java11/option-tls-11.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "tls", - "enabled": true, - "options": { - "properties": { - "java.security.properties": "/opt/apache/beam/options/jdk11-tls.properties" - } - } - } - \ No newline at end of file diff --git a/sdks/java/container/java17/java17-security.properties b/sdks/java/container/java17/java17-security.properties new file mode 100644 index 000000000000..2dc8c32b61df --- /dev/null +++ b/sdks/java/container/java17/java17-security.properties @@ -0,0 +1,29 @@ +# Java 17 java.security properties file override for JVM + +# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the +# legacy algorithms list to allow it to be used if something better is not +# available (e.g. TLSv1.2). This will prevent breakages for existing users +# (for example JDBC with MySQL). See +# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 +# for additional details. +# +# GCM is explicitly disabled in Java 8 only because it performs very +# poorly (https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20) +# GCM is not disabled in Java 11 or 17 (https://bugs.openjdk.java.net/browse/JDK-8046943) +# +# SSLv3 is explicitly disabled due to the potential for the POODLE attack. See +# https://www.cisa.gov/uscert/ncas/alerts/TA14-290A for additional details. +# +# remaining algorithms derived from: +# openjdk 17.0.2 2022-01-18 +# OpenJDK Runtime Environment (build 17.0.2+8-86) +# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing) +jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL + +# The raw value from 17.0.2 for legacyAlgorithms is +# NULL, anon, RC4, DES, 3DES_EDE_CBC +# Because these values are in disabledAlgorithms, it is erroneous to include +# them in legacy (they are disabled in Java 8 and Java 11 as well). Here we +# only include TLSv1 and TLSv1.1 which were removed from disabledAlgorithms +jdk.tls.legacyAlgorithms=TLSv1, TLSv1.1 diff --git a/sdks/java/container/java17/jdk17-tls.properties b/sdks/java/container/java17/jdk17-tls.properties deleted file mode 100644 index aa7be8d278eb..000000000000 --- a/sdks/java/container/java17/jdk17-tls.properties +++ /dev/null @@ -1,30 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Java 17 java.security properties file override for JVM -# base properties derived from: -# openjdk 17.0.2 2022-01-18 -# OpenJDK Runtime Environment (build 17.0.2+8-86) -# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing) - -# New versions of Java have now disabled TLSv1 and TLSv1.1 -# -# To prevent breakages caused by the deprecation of algorithms during JDK -# updates, we are explictly passing an override to these properties -# to the JVM as a meta option. -jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ - DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL - -jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC diff --git a/sdks/java/container/java17/option-java17-security.json b/sdks/java/container/java17/option-java17-security.json new file mode 100644 index 000000000000..2bfa76a0856f --- /dev/null +++ b/sdks/java/container/java17/option-java17-security.json @@ -0,0 +1,10 @@ +{ + "name": "java-security", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java17-security.properties" + } + } + } + \ No newline at end of file diff --git a/sdks/java/container/java17/option-tls-17.json b/sdks/java/container/java17/option-tls-17.json deleted file mode 100644 index 6b00c548e720..000000000000 --- a/sdks/java/container/java17/option-tls-17.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "tls", - "enabled": true, - "options": { - "properties": { - "java.security.properties": "/opt/apache/beam/options/jdk17-tls.properties" - } - } - } - \ No newline at end of file diff --git a/sdks/java/container/java8/jdk8-tls.properties b/sdks/java/container/java8/java8-security.properties similarity index 100% rename from sdks/java/container/java8/jdk8-tls.properties rename to sdks/java/container/java8/java8-security.properties diff --git a/sdks/java/container/java8/option-java8-security.json b/sdks/java/container/java8/option-java8-security.json new file mode 100644 index 000000000000..c00dc9fef94f --- /dev/null +++ b/sdks/java/container/java8/option-java8-security.json @@ -0,0 +1,10 @@ +{ + "name": "java-security", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java8-security.properties" + } + } + } + \ No newline at end of file diff --git a/sdks/java/container/java8/option-tls-8.json b/sdks/java/container/java8/option-tls-8.json deleted file mode 100644 index 390a410da50d..000000000000 --- a/sdks/java/container/java8/option-tls-8.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "tls", - "enabled": true, - "options": { - "properties": { - "java.security.properties": "/opt/apache/beam/options/jdk8-tls.properties" - } - } - } - \ No newline at end of file From e4d773a8c047ec2bb8f909a2958fea34c504a246 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 14 Dec 2022 09:19:02 -0500 Subject: [PATCH 07/20] Add license --- .../container/java17/java17-security.properties | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/sdks/java/container/java17/java17-security.properties b/sdks/java/container/java17/java17-security.properties index 2dc8c32b61df..ae644968d3fa 100644 --- a/sdks/java/container/java17/java17-security.properties +++ b/sdks/java/container/java17/java17-security.properties @@ -1,3 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Java 17 java.security properties file override for JVM # Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the From 6947e67c2827e001949f8f72e6d6dbf6ce90e149 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 14 Dec 2022 09:19:18 -0500 Subject: [PATCH 08/20] Add license --- .../container/java11/java11-security.properties | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/sdks/java/container/java11/java11-security.properties b/sdks/java/container/java11/java11-security.properties index 8eedb6bffe30..aed5d56b1d69 100644 --- a/sdks/java/container/java11/java11-security.properties +++ b/sdks/java/container/java11/java11-security.properties @@ -1,3 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Java 11 java.security properties file override for JVM # Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the @@ -26,4 +41,4 @@ jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \ - 3DES_EDE_CBC, TLSv1, TLSv1.1 \ No newline at end of file + 3DES_EDE_CBC, TLSv1, TLSv1.1 From 4a3b8ae978d7a11ccdccd32ac140e880ac39ef94 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Tue, 20 Dec 2022 17:53:35 -0500 Subject: [PATCH 09/20] Adding TLS-enabled check to SdkHarnessEnvironment tests --- .../beam/sdk/SdkHarnessEnvironmentTest.java | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index dd2d469fd4be..9673c61a5d00 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -19,7 +19,10 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.greaterThan; +import static org.hamcrest.Matchers.hasItemInArray; +import static org.hamcrest.Matchers.not; +import java.security.Security; import org.apache.beam.sdk.coders.StringUtf8Coder; import org.apache.beam.sdk.testing.PAssert; import org.apache.beam.sdk.testing.TestPipeline; @@ -66,4 +69,30 @@ public void testJammAgentAvailable() throws Exception { PAssert.that(output).containsInAnyOrder("measured"); p.run().waitUntilFinish(); } + + /** {@link DoFn} used to validate that TLS was enabled as part of java security properties. */ + private static class TLSDoFn extends DoFn { + @ProcessElement + public void processElement(ProcessContext c) { + assertThat( + Security.getProperty("jdk.tls.disabledAlgorithms").split(",[ ]*"), + not(hasItemInArray("TLSv1"))); + assertThat( + Security.getProperty("jdk.tls.disabledAlgorithms").split(",[ ]*"), + not(hasItemInArray("TLSv1.1"))); + c.output("TLSv1-TLSv1.1 enabled"); + } + } + + @Test + @Category({ValidatesRunner.class, UsesSdkHarnessEnvironment.class}) + public void testTlsAvailable() throws Exception { + PCollection input = p.apply(Create.of("TLS").withCoder(StringUtf8Coder.of())); + + PCollection output = input.apply(ParDo.of(new TLSDoFn())); + + PAssert.that(output).containsInAnyOrder("TLSv1-TLSv1.1 enabled"); + + p.run().waitUntilFinish(); + } } From e908a5332a4aae43eacb4da27e9138a02eb54eb9 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Tue, 20 Dec 2022 18:32:00 -0500 Subject: [PATCH 10/20] Update sdks/java/container/java11/option-java11-security.json Co-authored-by: Kiley Sok --- sdks/java/container/java11/option-java11-security.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdks/java/container/java11/option-java11-security.json b/sdks/java/container/java11/option-java11-security.json index bcf66db00884..215a6516fa1b 100644 --- a/sdks/java/container/java11/option-java11-security.json +++ b/sdks/java/container/java11/option-java11-security.json @@ -1,5 +1,5 @@ { - "name": "java-securtiy", + "name": "java-security", "enabled": true, "options": { "properties": { From f9b35c4d3c88708b941bd7c7c37bfdfe8aad16ec Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Thu, 29 Dec 2022 11:36:20 -0600 Subject: [PATCH 11/20] Adjusting version fallback specification for Java --- CHANGES.md | 5 ++-- .../java11/java11-security.properties | 20 +++++--------- .../java17/java17-security.properties | 16 +++-------- .../container/java8/java8-security.properties | 27 +++++++++---------- 4 files changed, 25 insertions(+), 43 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index fe4930f56b92..f45d3b495731 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -64,9 +64,8 @@ * X feature added (Java/Python) ([#X](https://github.com/apache/beam/issues/X)). * Adding override of allowed TLS algorithms (Java), now maintaining the disabled/legacy algorithms - present in 2.43.0 (up to 1.8.0_151, 11.0.9, 17.0.2 for respective Java versions). This primarily - re-enables TLSv1 and TLSv1.1 for Java 8 and Java 11 by default, and gives control over this - property for JVMs in the future. + present in 2.43.0 (up to 1.8.0_342, 11.0.16, 17.0.2 for respective Java versions). This is accompanied + by an explicit re-enabling of TLSv1 and TLSv1.1 for Java 8 and Java 11. ## Breaking Changes diff --git a/sdks/java/container/java11/java11-security.properties b/sdks/java/container/java11/java11-security.properties index aed5d56b1d69..b0cd7578a166 100644 --- a/sdks/java/container/java11/java11-security.properties +++ b/sdks/java/container/java11/java11-security.properties @@ -14,6 +14,10 @@ # limitations under the License. # Java 11 java.security properties file override for JVM +# base properties derived from: +# openjdk version "11.0.16" 2022-07-19 +# OpenJDK Runtime Environment 18.9 (build 11.0.16+8) +# OpenJDK 64-Bit Server VM 18.9 (build 11.0.16+8, mixed mode, sharing) # Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the # legacy algorithms list to allow it to be used if something better is not @@ -21,20 +25,8 @@ # (for example JDBC with MySQL). See # https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 # for additional details. -# -# GCM is explicitly disabled in Java 8 only because it performs very -# poorly (https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20) -# GCM is not disabled in Java 11 or 17 (https://bugs.openjdk.java.net/browse/JDK-8046943) -# -# SSLv3 is explicitly disabled due to the potential for the POODLE attack. See -# https://www.cisa.gov/uscert/ncas/alerts/TA14-290A for additional details. -# -# remaining algorithms derived from: -# openjdk 11.0.9 2020-10-20 -# OpenJDK Runtime Environment 18.9 (build 11.0.9+11) -# OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11, mixed mode) -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves jdk.tls.legacyAlgorithms= \ diff --git a/sdks/java/container/java17/java17-security.properties b/sdks/java/container/java17/java17-security.properties index ae644968d3fa..28a399c555e7 100644 --- a/sdks/java/container/java17/java17-security.properties +++ b/sdks/java/container/java17/java17-security.properties @@ -14,6 +14,10 @@ # limitations under the License. # Java 17 java.security properties file override for JVM +# base properties derived from: +# openjdk version "17.0.2" 2022-01-18 +# OpenJDK Runtime Environment (build 17.0.2+8-86) +# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing) # Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the # legacy algorithms list to allow it to be used if something better is not @@ -21,18 +25,6 @@ # (for example JDBC with MySQL). See # https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 # for additional details. -# -# GCM is explicitly disabled in Java 8 only because it performs very -# poorly (https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20) -# GCM is not disabled in Java 11 or 17 (https://bugs.openjdk.java.net/browse/JDK-8046943) -# -# SSLv3 is explicitly disabled due to the potential for the POODLE attack. See -# https://www.cisa.gov/uscert/ncas/alerts/TA14-290A for additional details. -# -# remaining algorithms derived from: -# openjdk 17.0.2 2022-01-18 -# OpenJDK Runtime Environment (build 17.0.2+8-86) -# OpenJDK 64-Bit Server VM (build 17.0.2+8-86, mixed mode, sharing) jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL diff --git a/sdks/java/container/java8/java8-security.properties b/sdks/java/container/java8/java8-security.properties index 36cb587c8ea2..1ebc8f5346f7 100644 --- a/sdks/java/container/java8/java8-security.properties +++ b/sdks/java/container/java8/java8-security.properties @@ -15,23 +15,22 @@ # Java 8 java.security properties file override for JVM # base properties derived from: -# java version "1.8.0_151" -# Java(TM) SE Runtime Environment (build 1.8.0_151-b12) -# Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode) +# openjdk version "1.8.0_342" +# OpenJDK Runtime Environment (build 1.8.0_342-b07) +# OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode) -# New versions of Java have now disabled TLSv1 and TLSv1.1 -# -# To prevent breakages caused by the deprecation of algorithms during JDK -# updates, we are explictly passing an override to these properties -# to the JVM as a meta option. -# NOTE: GCM is explicitly disabled in Java 8 only, not in Java 11 or 17 -jdk.tls.disabledAlgorithms=SSLv3, GCM, RC4, MD5withRSA, DH keySize < 768, \ - EC keySize < 224 +# Java has now disabled TLSv1 and TLSv1.1. We specifically put it in the +# legacy algorithms list to allow it to be used if something better is not +# available (e.g. TLSv1.2). This will prevent breakages for existing users +# (for example JDBC with MySQL). See +# https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8202343 +# for additional details. +jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + include jdk.disabled.namedCurves jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ - DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ - DH_RSA_EXPORT, RSA_EXPORT, \ DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \ - 3DES_EDE_CBC + 3DES_EDE_CBC, TLSv1, TLSv1.1 \ No newline at end of file From 20bcf56f145d1ae8f70aa88141d9d96379c628f0 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Tue, 3 Jan 2023 18:49:59 -0500 Subject: [PATCH 12/20] Making suggested fixes --- CHANGES.md | 1 - .../container/java11/java11-security.properties | 13 ++++++++++++- .../container/java11/option-java11-security.json | 13 ++++++------- .../container/java17/java17-security.properties | 11 +++++++++++ .../container/java17/option-java17-security.json | 13 ++++++------- sdks/java/container/java8/java8-security.properties | 13 ++++++++++++- .../java/container/java8/option-java8-security.json | 13 ++++++------- 7 files changed, 53 insertions(+), 24 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index f45d3b495731..174a04a99b76 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -80,7 +80,6 @@ ## Bugfixes -* Fixed X (Java/Python) ([#X](https://github.com/apache/beam/issues/X)). * Fixed JDBC connection failures (Java) during handshake due to deprecated TLSv1(.1) protocol for the JDK. ([#24623](https://github.com/apache/beam/issues/24623)) ## Known Issues diff --git a/sdks/java/container/java11/java11-security.properties b/sdks/java/container/java11/java11-security.properties index b0cd7578a166..f4e3adc32fbc 100644 --- a/sdks/java/container/java11/java11-security.properties +++ b/sdks/java/container/java11/java11-security.properties @@ -28,9 +28,20 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves - + jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \ 3DES_EDE_CBC, TLSv1, TLSv1.1 + +# /dev/random blocks in virtualized environments due to lack of +# good entropy sources, which makes SecureRandom use impractical. +# In particular, that affects the performance of HTTPS that relies +# on SecureRandom. +# +# Due to that, /dev/urandom is used as the default. +# +# See http://www.2uo.de/myths-about-urandom/ for some background +# on security of /dev/urandom on Linux. +securerandom.source=file:/dev/./urandom \ No newline at end of file diff --git a/sdks/java/container/java11/option-java11-security.json b/sdks/java/container/java11/option-java11-security.json index 215a6516fa1b..a8ad9672a3fc 100644 --- a/sdks/java/container/java11/option-java11-security.json +++ b/sdks/java/container/java11/option-java11-security.json @@ -1,10 +1,9 @@ { - "name": "java-security", - "enabled": true, - "options": { - "properties": { - "java.security.properties": "/opt/apache/beam/options/java11-security.properties" - } + "name": "java-security", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java11-security.properties" } } - \ No newline at end of file +} diff --git a/sdks/java/container/java17/java17-security.properties b/sdks/java/container/java17/java17-security.properties index 28a399c555e7..ec2a5c039cb9 100644 --- a/sdks/java/container/java17/java17-security.properties +++ b/sdks/java/container/java17/java17-security.properties @@ -34,3 +34,14 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ # them in legacy (they are disabled in Java 8 and Java 11 as well). Here we # only include TLSv1 and TLSv1.1 which were removed from disabledAlgorithms jdk.tls.legacyAlgorithms=TLSv1, TLSv1.1 + +# /dev/random blocks in virtualized environments due to lack of +# good entropy sources, which makes SecureRandom use impractical. +# In particular, that affects the performance of HTTPS that relies +# on SecureRandom. +# +# Due to that, /dev/urandom is used as the default. +# +# See http://www.2uo.de/myths-about-urandom/ for some background +# on security of /dev/urandom on Linux. +securerandom.source=file:/dev/./urandom \ No newline at end of file diff --git a/sdks/java/container/java17/option-java17-security.json b/sdks/java/container/java17/option-java17-security.json index 2bfa76a0856f..979d4be90d1e 100644 --- a/sdks/java/container/java17/option-java17-security.json +++ b/sdks/java/container/java17/option-java17-security.json @@ -1,10 +1,9 @@ { - "name": "java-security", - "enabled": true, - "options": { - "properties": { - "java.security.properties": "/opt/apache/beam/options/java17-security.properties" - } + "name": "java-security", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java17-security.properties" } } - \ No newline at end of file +} diff --git a/sdks/java/container/java8/java8-security.properties b/sdks/java/container/java8/java8-security.properties index 1ebc8f5346f7..cb4ce8c1bb06 100644 --- a/sdks/java/container/java8/java8-security.properties +++ b/sdks/java/container/java8/java8-security.properties @@ -33,4 +33,15 @@ jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \ - 3DES_EDE_CBC, TLSv1, TLSv1.1 \ No newline at end of file + 3DES_EDE_CBC, TLSv1, TLSv1.1 + +# /dev/random blocks in virtualized environments due to lack of +# good entropy sources, which makes SecureRandom use impractical. +# In particular, that affects the performance of HTTPS that relies +# on SecureRandom. +# +# Due to that, /dev/urandom is used as the default. +# +# See http://www.2uo.de/myths-about-urandom/ for some background +# on security of /dev/urandom on Linux. +securerandom.source=file:/dev/./urandom \ No newline at end of file diff --git a/sdks/java/container/java8/option-java8-security.json b/sdks/java/container/java8/option-java8-security.json index c00dc9fef94f..47f2938bf7cd 100644 --- a/sdks/java/container/java8/option-java8-security.json +++ b/sdks/java/container/java8/option-java8-security.json @@ -1,10 +1,9 @@ { - "name": "java-security", - "enabled": true, - "options": { - "properties": { - "java.security.properties": "/opt/apache/beam/options/java8-security.properties" - } + "name": "java-security", + "enabled": true, + "options": { + "properties": { + "java.security.properties": "/opt/apache/beam/options/java8-security.properties" } } - \ No newline at end of file +} From 605c888e11f0ad5198f18a6347827444ca830631 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Tue, 3 Jan 2023 18:54:50 -0500 Subject: [PATCH 13/20] Fixing indentation --- sdks/java/container/java11/java11-security.properties | 8 ++++---- sdks/java/container/java8/java8-security.properties | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/sdks/java/container/java11/java11-security.properties b/sdks/java/container/java11/java11-security.properties index f4e3adc32fbc..caf64592c400 100644 --- a/sdks/java/container/java11/java11-security.properties +++ b/sdks/java/container/java11/java11-security.properties @@ -30,10 +30,10 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ include jdk.disabled.namedCurves jdk.tls.legacyAlgorithms= \ - K_NULL, C_NULL, M_NULL, \ - DH_anon, ECDH_anon, \ - RC4_128, RC4_40, DES_CBC, DES40_CBC, \ - 3DES_EDE_CBC, TLSv1, TLSv1.1 + K_NULL, C_NULL, M_NULL, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC, \ + 3DES_EDE_CBC, TLSv1, TLSv1.1 # /dev/random blocks in virtualized environments due to lack of # good entropy sources, which makes SecureRandom use impractical. diff --git a/sdks/java/container/java8/java8-security.properties b/sdks/java/container/java8/java8-security.properties index cb4ce8c1bb06..f637d3ef7567 100644 --- a/sdks/java/container/java8/java8-security.properties +++ b/sdks/java/container/java8/java8-security.properties @@ -30,10 +30,10 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ include jdk.disabled.namedCurves jdk.tls.legacyAlgorithms= \ - K_NULL, C_NULL, M_NULL, \ - DH_anon, ECDH_anon, \ - RC4_128, RC4_40, DES_CBC, DES40_CBC, \ - 3DES_EDE_CBC, TLSv1, TLSv1.1 + K_NULL, C_NULL, M_NULL, \ + DH_anon, ECDH_anon, \ + RC4_128, RC4_40, DES_CBC, DES40_CBC, \ + 3DES_EDE_CBC, TLSv1, TLSv1.1 # /dev/random blocks in virtualized environments due to lack of # good entropy sources, which makes SecureRandom use impractical. From c8228880b168ca18600fd3f7f21f280e11273a03 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 4 Jan 2023 15:22:19 -0500 Subject: [PATCH 14/20] Adding SSLContext check to TLS availability test --- .../beam/sdk/SdkHarnessEnvironmentTest.java | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index 9673c61a5d00..b7418ed80fc6 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -21,8 +21,12 @@ import static org.hamcrest.Matchers.greaterThan; import static org.hamcrest.Matchers.hasItemInArray; import static org.hamcrest.Matchers.not; +import static org.junit.Assert.assertNotNull; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; import java.security.Security; +import javax.net.ssl.SSLContext; import org.apache.beam.sdk.coders.StringUtf8Coder; import org.apache.beam.sdk.testing.PAssert; import org.apache.beam.sdk.testing.TestPipeline; @@ -74,12 +78,24 @@ public void testJammAgentAvailable() throws Exception { private static class TLSDoFn extends DoFn { @ProcessElement public void processElement(ProcessContext c) { - assertThat( - Security.getProperty("jdk.tls.disabledAlgorithms").split(",[ ]*"), - not(hasItemInArray("TLSv1"))); - assertThat( - Security.getProperty("jdk.tls.disabledAlgorithms").split(",[ ]*"), - not(hasItemInArray("TLSv1.1"))); + String[] disabledAlgorithms = + Security.getProperty("jdk.tls.disabledAlgorithms").trim().split("\\s*,\\s*"); + assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1"))); + assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1.1"))); + + SSLContext context = null; + String[] defaultProtocols = null; + try { + context = SSLContext.getInstance("TLS"); + context.init(null, null, null); + defaultProtocols = context.getDefaultSSLParameters().getProtocols(); + } catch (NoSuchAlgorithmException | KeyManagementException e) { + return; + } + assertNotNull(context); + assertThat(defaultProtocols, hasItemInArray("TLSv1")); + assertThat(defaultProtocols, hasItemInArray("TLSv1.1")); + c.output("TLSv1-TLSv1.1 enabled"); } } From f064c02e5d4420f5f19d819bdaf34b1894ac1b03 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 4 Jan 2023 16:31:49 -0500 Subject: [PATCH 15/20] Making suggested improvements to test --- .../beam/sdk/SdkHarnessEnvironmentTest.java | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index b7418ed80fc6..5095132a8ca9 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -77,22 +77,25 @@ public void testJammAgentAvailable() throws Exception { /** {@link DoFn} used to validate that TLS was enabled as part of java security properties. */ private static class TLSDoFn extends DoFn { @ProcessElement - public void processElement(ProcessContext c) { + public void processElement(ProcessContext c) throws Exception { String[] disabledAlgorithms = Security.getProperty("jdk.tls.disabledAlgorithms").trim().split("\\s*,\\s*"); + String[] legacyAlgorithms = + Security.getProperty("jdk.tls.legacyAlgorithms").trim().split("\\s*,\\s*"); assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1"))); assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1.1"))); + assertThat(legacyAlgorithms, hasItemInArray("TLSv1")); + assertThat(legacyAlgorithms, hasItemInArray("TLSv1.1")); + // getSupportedSSLParameters() shows all protocols that JSSE implements thare aren't + // statically prohibited by the policy file + // use getDefaultSSLParameters() to see what is enabled by default -- and is used in your + // socket, since it doesn't overide the context's default SSLContext context = null; - String[] defaultProtocols = null; - try { - context = SSLContext.getInstance("TLS"); - context.init(null, null, null); - defaultProtocols = context.getDefaultSSLParameters().getProtocols(); - } catch (NoSuchAlgorithmException | KeyManagementException e) { - return; - } + context = SSLContext.getInstance("TLS"); + context.init(null, null, null); assertNotNull(context); + String[] defaultProtocols = context.getDefaultSSLParameters().getProtocols(); assertThat(defaultProtocols, hasItemInArray("TLSv1")); assertThat(defaultProtocols, hasItemInArray("TLSv1.1")); From d154e87d12ae64fcd44129abe97fb1047df18a00 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 4 Jan 2023 16:36:41 -0500 Subject: [PATCH 16/20] Removing exception imports no longer needed --- .../java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index 5095132a8ca9..74ffc0029873 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -23,8 +23,6 @@ import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertNotNull; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; import java.security.Security; import javax.net.ssl.SSLContext; import org.apache.beam.sdk.coders.StringUtf8Coder; From 90a977c4cdb20e69cb49bdeec5a069b81b1d481d Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 4 Jan 2023 16:58:02 -0500 Subject: [PATCH 17/20] Remove whitespace and erroneous context null initialization --- .../java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index 74ffc0029873..8ec5e589919f 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -78,7 +78,7 @@ private static class TLSDoFn extends DoFn { public void processElement(ProcessContext c) throws Exception { String[] disabledAlgorithms = Security.getProperty("jdk.tls.disabledAlgorithms").trim().split("\\s*,\\s*"); - String[] legacyAlgorithms = + String[] legacyAlgorithms = Security.getProperty("jdk.tls.legacyAlgorithms").trim().split("\\s*,\\s*"); assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1"))); assertThat(disabledAlgorithms, not(hasItemInArray("TLSv1.1"))); @@ -89,8 +89,7 @@ public void processElement(ProcessContext c) throws Exception { // statically prohibited by the policy file // use getDefaultSSLParameters() to see what is enabled by default -- and is used in your // socket, since it doesn't overide the context's default - SSLContext context = null; - context = SSLContext.getInstance("TLS"); + SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); assertNotNull(context); String[] defaultProtocols = context.getDefaultSSLParameters().getProtocols(); From 3761f32fd36af2813647ce8495ebac40f70570f6 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 4 Jan 2023 17:09:42 -0500 Subject: [PATCH 18/20] Fix typo --- .../java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index 8ec5e589919f..a38ca5cbbbfb 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -88,7 +88,7 @@ public void processElement(ProcessContext c) throws Exception { // getSupportedSSLParameters() shows all protocols that JSSE implements thare aren't // statically prohibited by the policy file // use getDefaultSSLParameters() to see what is enabled by default -- and is used in your - // socket, since it doesn't overide the context's default + // socket, since it doesn't override the context's default SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); assertNotNull(context); From 4eeb4e01a4a4c1f63a460a51accdcf21429fb9d2 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Wed, 4 Jan 2023 18:16:05 -0500 Subject: [PATCH 19/20] Update sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java Co-authored-by: Lukasz Cwik --- .../java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index a38ca5cbbbfb..292ec526f450 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -85,10 +85,8 @@ public void processElement(ProcessContext c) throws Exception { assertThat(legacyAlgorithms, hasItemInArray("TLSv1")); assertThat(legacyAlgorithms, hasItemInArray("TLSv1.1")); - // getSupportedSSLParameters() shows all protocols that JSSE implements thare aren't - // statically prohibited by the policy file - // use getDefaultSSLParameters() to see what is enabled by default -- and is used in your - // socket, since it doesn't override the context's default + // getDefaultSSLParameters() shows all protocols that JSSE implements that are allowed. + // getSupportedSSLParameters() shows all protocols that JSSE implements including those that are disabled. SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); assertNotNull(context); From eb2353ecf3572873b443aeacceaa90ea1b7f05b7 Mon Sep 17 00:00:00 2001 From: Charles Rothrock Date: Thu, 5 Jan 2023 09:05:35 -0500 Subject: [PATCH 20/20] Fix spotless java precommit formatting error --- .../java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java index 292ec526f450..2c61e8a62041 100644 --- a/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java +++ b/sdks/java/core/src/test/java/org/apache/beam/sdk/SdkHarnessEnvironmentTest.java @@ -86,7 +86,8 @@ public void processElement(ProcessContext c) throws Exception { assertThat(legacyAlgorithms, hasItemInArray("TLSv1.1")); // getDefaultSSLParameters() shows all protocols that JSSE implements that are allowed. - // getSupportedSSLParameters() shows all protocols that JSSE implements including those that are disabled. + // getSupportedSSLParameters() shows all protocols that JSSE implements including those that + // are disabled. SSLContext context = SSLContext.getInstance("TLS"); context.init(null, null, null); assertNotNull(context);