Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RATIS-2064. Bump Netty to 4.1.109 #50

Merged
merged 2 commits into from Apr 30, 2024
Merged

RATIS-2064. Bump Netty to 4.1.109 #50

merged 2 commits into from Apr 30, 2024

Conversation

adoroszlai
Copy link
Contributor

@adoroszlai adoroszlai commented Apr 29, 2024
edited

What changes were proposed in this pull request?

Bump Netty to latest (4.1.109 currently).

I had to tweak cipher list in tests to make GrpcSslTest to pass. It was failing with StacklessSSLHandshakeException: Connection closed while SSL/TLS handshake was in progress due to one of the changes in Netty 4.1.108 related to SSL.

https://issues.apache.org/jira/browse/RATIS-2064

How was this patch tested?

CI:
https://github.com/adoroszlai/ratis-thirdparty/actions/runs/8877229601

@adoroszlai adoroszlai self-assigned this Apr 29, 2024
@adoroszlai adoroszlai added the dependencies Pull requests that update a dependency file label Apr 29, 2024
szetszwo
szetszwo approved these changes Apr 29, 2024
View reviewed changes
Copy link
Contributor

@szetszwo szetszwo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 the change looks good.

test/src/main/java/org/apache/ratis/thirdparty/demo/common/SslConfig.java
Comment on lines +27 to +42
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA"));

// "RSA" in this case refers to the key exchange algorithm,
// "SHA" refers to the message digest algorithm to provide integrity
// "NULL" is the encryption algorithm, to disable encryption.
// TODO: support NULL cipher from tcnative
private final List<String> tlsCipherSuitesNoEncryption = Collections.singletonList("TLS_RSA_WITH_AES_128_GCM_SHA256");
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adoroszlai , How did you find out this list?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took the list from this log message emitted by Netty during the test:

[main] DEBUG ssl.OpenSsl (OpenSsl.java:<clinit>(402)) - Default cipher suites (OpenSSL): [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256]

I don't know why the old list (particularly the NoEncryption one) wouldn't work. The list of default ciphers is the same for both versions.

The following mapping is no longer present with new Netty:

[main] DEBUG ssl.CipherSuiteConverter (CipherSuiteConverter.java:cacheFromOpenSsl(352)) - Cipher suite mapping: TLS_RSA_WITH_3DES_EDE_CBC_SHA => DES-CBC3-SHA
[main] DEBUG ssl.CipherSuiteConverter (CipherSuiteConverter.java:cacheFromOpenSsl(353)) - Cipher suite mapping: SSL_RSA_WITH_3DES_EDE_CBC_SHA => DES-CBC3-SHA

so I first removed that from the original list, but that would not fix the problem.

SzyWilliam
SzyWilliam approved these changes Apr 30, 2024
View reviewed changes
Copy link
Member

@SzyWilliam SzyWilliam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 the changes look good to me. Thanks @adoroszlai for bumping Netty and tweak the list.

@adoroszlai adoroszlai merged commit 8ae00d9 into apache:master Apr 30, 2024
1 check passed
@adoroszlai adoroszlai deleted the RATIS-2064 branch April 30, 2024 07:23
@adoroszlai
Copy link
Contributor Author

Thanks @szetszwo, @SzyWilliam for the review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szetszwo szetszwo szetszwo approved these changes

@SzyWilliam SzyWilliam SzyWilliam approved these changes

Assignees

@adoroszlai adoroszlai

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
3 participants
@adoroszlai @szetszwo @SzyWilliam