Add support for JGroups SSL_KEY_EXCHANGE

[ryanemerson]

Currently we support the ASYM_ENCRYPT protocol for JGroups encryption, however this is prone to man in the middle attacks. This can be overcome by utilising the SSL_KEY_EXCHANGE protocol, however this requires a keystore to be configured. If the user has configured a keystore, we should utilise this and automatically add the SSL_KEY_EXCHANGE protocol to the stack if jgroups.encrypt == true.

Current issues with ASYM_ENCRYPT and SSL_KEY_EXCHANGE.

    <VERIFY_SUSPECT timeout="1000"/>
    <gsp:scriptlet>if (jgroups?.encrypt) {</gsp:scriptlet>
    <gsp:scriptlet>if (keystore?.path) {</gsp:scriptlet>
    <SSL_KEY_EXCHANGE
            keystore_name="${keystore.path}"
            keystore_password="${keystore.password}"
            keystore_type="pkcs12"
            port="2157"
            port_range="0"
    />
    <gsp:scriptlet>}</gsp:scriptlet>
    <ASYM_ENCRYPT use_external_key_exchange="${keystore?.path ? true : false}"
                  sym_algorithm="AES/ECB/PKCS5Padding"
                  asym_keylength="512"
                  asym_algorithm="RSA"
    />
    <gsp:scriptlet>}</gsp:scriptlet>

Node 1:

17:09:53,428 DEBUG [org.jgroups.protocols.SSL_KEY_EXCHANGE] (main) 9864590834c5-46097: becoming keyserver; creating server socket
17:09:53,508 DEBUG [org.jgroups.protocols.SSL_KEY_EXCHANGE] (main) 9864590834c5-46097: SSL server socket listening on /172.17.0.2:2157
17:09:53,511 DEBUG [org.jgroups.protocols.ASYM_ENCRYPT] (main) 9864590834c5-46097: I'm the new key server
17:09:53,530 DEBUG [org.jgroups.protocols.ASYM_ENCRYPT] (main) 9864590834c5-46097: created new group key (version: DCEFD81727549FA1786B1DAF8E35DD13) because of new view [9864590834c5-46097|0] (1) [9864590834c5-46097]
17:09:53,536 INFO  [org.infinispan.CLUSTER] (main) ISPN000094: Received new cluster view for channel testClusterName: [9864590834c5-46097|0] (1) [9864590834c5-46097]
17:09:53,553 INFO  [org.infinispan.CLUSTER] (main) ISPN000079: Channel testClusterName local address is 9864590834c5-46097, physical addresses are [172.17.0.2:7800]
17:09:53,564 INFO  [org.infinispan.CONTAINER] (main) ISPN000390: Persisted state, version=10.1.0.Beta1 timestamp=2019-12-03T17:09:53.560070Z
17:09:54,029 INFO  [org.infinispan.CONTAINER] (main) ISPN000104: Using EmbeddedTransactionManager
17:09:54,275 INFO  [org.infinispan.SERVER] (ForkJoinPool.commonPool-worker-3) ISPN080018: Protocol HotRod (internal)
17:09:54,357 INFO  [org.infinispan.SERVER] (main) ISPN080018: Protocol REST (internal)
17:09:54,468 INFO  [org.infinispan.SERVER] (ForkJoinPool.commonPool-worker-5) ISPN080004: Protocol Memcached listening on 172.17.0.2:11221
17:09:54,479 INFO  [org.infinispan.SERVER] (main) ISPN080004: Protocol SINGLE_PORT listening on 172.17.0.2:11222
17:09:54,479 INFO  [org.infinispan.SERVER] (main) ISPN080001: Infinispan Server 10.1.0.Beta1 started in 8683ms
17:10:03,381 INFO  [org.infinispan.CLUSTER] (jgroups-5,9864590834c5-46097) ISPN000094: Received new cluster view for channel testClusterName: [9864590834c5-46097|1] (2) [9864590834c5-46097, fe47e1f1471b-64307]
17:10:03,387 INFO  [org.infinispan.CLUSTER] (jgroups-5,9864590834c5-46097) ISPN100000: Node fe47e1f1471b-64307 joined the cluster
17:10:03,423 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,9864590834c5-46097) 9864590834c5-46097: asking fe47e1f1471b-64307 to fetch the shared group key DCEFD81727549FA1786B1DAF8E35DD13 via an external key exchange protocol (srv=172.17.0.2:2157)
17:10:03,515 TRACE [org.jgroups.protocols.SSL_KEY_EXCHANGE] (SSL_KEY_EXCHANGE-runner-9,9864590834c5-46097) 9864590834c5-46097: failure handling client socket: Remote host terminated the handshake
17:10:03,557 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-8,9864590834c5-46097) 9864590834c5-46097: asking fe47e1f1471b-64307 to fetch the shared group key DCEFD81727549FA1786B1DAF8E35DD13 via an external key exchange protocol (srv=172.17.0.2:2157)
17:10:03,562 TRACE [org.jgroups.protocols.SSL_KEY_EXCHANGE] (SSL_KEY_EXCHANGE-runner-9,9864590834c5-46097) 9864590834c5-46097: failure handling client socket: Remote host terminated the handshake
17:10:03,659 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-8,9864590834c5-46097) 9864590834c5-46097: asking fe47e1f1471b-64307 to fetch the shared group key DCEFD81727549FA1786B1DAF8E35DD13 via an external key exchange protocol (srv=172.17.0.2:2157)

Node 2:

17:10:02,840 INFO  [org.infinispan.CONTAINER] (main) ISPN000128: Infinispan version: Infinispan 'Chupacabra' 10.1.0.Beta1
17:10:03,012 INFO  [org.infinispan.CLUSTER] (main) ISPN000078: Starting JGroups channel testClusterName
17:10:03,426 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: fetching group key from 172.17.0.2:2157
17:10:03,430 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-6,fe47e1f1471b-64307) fe47e1f1471b-64307: discarded mcast batch from 9864590834c5-46097 as secret key is null
17:10:03,457 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,508 WARN  [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: failed fetching group key from 9864590834c5-46097: java.lang.IllegalStateException: failed connecting to 172.17.0.2:2157: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
17:10:03,508 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,557 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,557 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,558 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: fetching group key from 172.17.0.2:2157
17:10:03,560 WARN  [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: failed fetching group key from 9864590834c5-46097: java.lang.IllegalStateException: failed connecting to 172.17.0.2:2157: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
17:10:03,560 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,659 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)

[ryanemerson]

The issue is present when utilising any of the ubi images or fedora-minimal. In the fedora image and local machine it's possible for the keys to be exchanged succesfully.

[ryanemerson]

@belaban FYI the reason that SSL_KEY_EXCHANGE wouldn't work on any of the UBI or fedora-minimal images was because they explicitly disable TLS in the /etc/crypto-policies/back-ends/java.config file for some reason. The solution was to override the file with https://github.com/infinispan/infinispan-images/blob/master/modules/dependencies/added/java.config.

[belaban]

+1

[pro100jekon]

Updated the link of a file:
https://github.com/infinispan/infinispan-images/blob/main/modules/org/infinispan/dependencies/jdk/common/added/java.config