From fdf6918e5554ff4cfd1e80a877367b87bdde3e65 Mon Sep 17 00:00:00 2001 From: Zhen Date: Thu, 8 Feb 2018 12:30:33 +0100 Subject: [PATCH] Enforce TLSv1.2 by default both for HTTPS server and bolt server. For users who would like to have other protocols or cipher suites, they need to migrate their old configuration to use new `dbms.ssl.policy` For users whose jdk does not have TLSv1.2 enabled by default such as ibm-jdk8, if they would like to use TLSv1.2, they should run the server with jvm option `com.ibm.jsse2.overrideDefaultTLS=true` --- .../socket/client/SecureSocketConnection.java | 2 +- .../socket/client/SecureWebSocketConnection.java | 16 ++-------------- .../configuration/ssl/LegacySslPolicyConfig.java | 16 ++++++++++++++++ .../configuration/ssl/SslPolicyConfig.java | 5 +++-- .../configuration/ssl/SslPolicyLoader.java | 7 ++++++- .../security/ssl/SslSocketConnectorFactory.java | 7 ++----- 6 files changed, 30 insertions(+), 23 deletions(-) diff --git a/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureSocketConnection.java b/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureSocketConnection.java index b8d773f74fd0e..9f4c0a5fbd25e 100644 --- a/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureSocketConnection.java +++ b/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureSocketConnection.java @@ -41,7 +41,7 @@ private Socket createSecureSocket() { try { - SSLContext context = SSLContext.getInstance( "SSL" ); + SSLContext context = SSLContext.getInstance( "TLS" ); context.init( new KeyManager[0], new TrustManager[]{new NaiveTrustManager( serverCertificatesSeen::add )}, new SecureRandom() ); return context.getSocketFactory().createSocket(); diff --git a/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureWebSocketConnection.java b/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureWebSocketConnection.java index 1a715066ce5af..166d883707ccb 100644 --- a/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureWebSocketConnection.java +++ b/community/bolt/src/test/java/org/neo4j/bolt/v1/transport/socket/client/SecureWebSocketConnection.java @@ -23,24 +23,12 @@ import org.eclipse.jetty.websocket.client.WebSocketClient; import java.net.URI; -import java.util.function.Supplier; public class SecureWebSocketConnection extends WebSocketConnection { public SecureWebSocketConnection() { - super( createTestClientSupplier(), address -> URI.create( "wss://" + address.getHost() + ":" + address.getPort() ) ); - } - - private static Supplier createTestClientSupplier() - { - return () -> - { - SslContextFactory sslContextFactory = new SslContextFactory( /* trustall= */ true ); - /* remove all default filters added by jetty on protocol and cipher suites */ - sslContextFactory.setExcludeCipherSuites(); - sslContextFactory.setExcludeProtocols(); - return new WebSocketClient( sslContextFactory ); - }; + super( () -> new WebSocketClient( new SslContextFactory( /* trustall= */ true ) ), + address -> URI.create( "wss://" + address.getHost() + ":" + address.getPort() ) ); } } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/LegacySslPolicyConfig.java b/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/LegacySslPolicyConfig.java index ba84bb84ed383..580dc58df39a6 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/LegacySslPolicyConfig.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/LegacySslPolicyConfig.java @@ -20,6 +20,7 @@ package org.neo4j.kernel.configuration.ssl; import java.io.File; +import java.util.List; import org.neo4j.configuration.Description; import org.neo4j.configuration.Internal; @@ -27,8 +28,12 @@ import org.neo4j.graphdb.config.Setting; import static org.neo4j.kernel.configuration.Settings.PATH; +import static org.neo4j.kernel.configuration.Settings.STRING_LIST; import static org.neo4j.kernel.configuration.Settings.derivedSetting; import static org.neo4j.kernel.configuration.Settings.pathSetting; +import static org.neo4j.kernel.configuration.Settings.setting; +import static org.neo4j.kernel.configuration.ssl.SslPolicyConfig.CIPHER_SUITES_DEFAULTS; +import static org.neo4j.kernel.configuration.ssl.SslPolicyConfig.TLS_VERSION_DEFAULTS; /** * To be removed in favour of {@link SslPolicyConfig}. The settings below are still @@ -54,4 +59,15 @@ public class LegacySslPolicyConfig implements LoadableConfig public static final Setting tls_key_file = derivedSetting( "unsupported.dbms.security.tls_key_file", certificates_directory, certificates -> new File( certificates, "neo4j.key" ), PATH ); + + @Internal + @Description( "Default encryption protocol used for legacy SSl policy." ) + static final Setting> default_security_protocol = + setting( "unsupported.dbms.security.protocol", STRING_LIST, TLS_VERSION_DEFAULTS ); + + @Internal + @Description( "Default encryption protocol used for legacy SSl policy." ) + static final Setting> default_security_cipher_suites = + setting( "unsupported.dbms.security.cipher_suites", STRING_LIST, CIPHER_SUITES_DEFAULTS ); + } diff --git a/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyConfig.java b/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyConfig.java index a6e9f56fd09c4..6d9682acac155 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyConfig.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyConfig.java @@ -44,7 +44,8 @@ @Group( "dbms.ssl.policy" ) public class SslPolicyConfig { - private static final String TLS_VERSION_DEFAULTS = join( ",", new String[]{"TLSv1.2"} ); + public static final String TLS_VERSION_DEFAULTS = join( ",", new String[]{"TLSv1.2"} ); + public static final String CIPHER_SUITES_DEFAULTS = NO_DEFAULT; @Description( "The mandatory base directory for cryptographic objects of this policy." + " It is also possible to override each individual configuration with absolute paths." ) @@ -99,7 +100,7 @@ public SslPolicyConfig( String policyName ) this.private_key_password = group.scope( setting( "private_key_password", STRING, NO_DEFAULT ) ); this.client_auth = group.scope( setting( "client_auth", options( ClientAuth.class, true ), ClientAuth.REQUIRE.name() ) ); this.tls_versions = group.scope( setting( "tls_versions", STRING_LIST, TLS_VERSION_DEFAULTS ) ); - this.ciphers = group.scope( setting( "ciphers", STRING_LIST, NO_DEFAULT ) ); + this.ciphers = group.scope( setting( "ciphers", STRING_LIST, CIPHER_SUITES_DEFAULTS ) ); } // TODO: can we make this handle relative paths? diff --git a/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyLoader.java b/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyLoader.java index 69e3ef5efd27a..7593166c32c73 100644 --- a/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyLoader.java +++ b/community/kernel/src/main/java/org/neo4j/kernel/configuration/ssl/SslPolicyLoader.java @@ -57,6 +57,8 @@ import static java.lang.String.format; import static org.neo4j.graphdb.factory.GraphDatabaseSettings.default_advertised_address; import static org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig.LEGACY_POLICY_NAME; +import static org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig.default_security_cipher_suites; +import static org.neo4j.kernel.configuration.ssl.LegacySslPolicyConfig.default_security_protocol; /** * Each component which utilises SSL policies is recommended to provide a component @@ -157,7 +159,10 @@ private SslPolicy loadOrCreateLegacyPolicy() PrivateKey privateKey = loadPrivateKey( privateKeyFile, null ); X509Certificate[] keyCertChain = loadCertificateChain( certficateFile ); - return new SslPolicy( privateKey, keyCertChain, null, null, + List ciphers = config.get( default_security_cipher_suites ); + List tlsVersions = config.get( default_security_protocol ); + + return new SslPolicy( privateKey, keyCertChain, tlsVersions, ciphers, ClientAuth.NONE, InsecureTrustManagerFactory.INSTANCE, sslProvider ); } diff --git a/community/server/src/main/java/org/neo4j/server/security/ssl/SslSocketConnectorFactory.java b/community/server/src/main/java/org/neo4j/server/security/ssl/SslSocketConnectorFactory.java index d92c94b3d31a7..a5c357521da5c 100644 --- a/community/server/src/main/java/org/neo4j/server/security/ssl/SslSocketConnectorFactory.java +++ b/community/server/src/main/java/org/neo4j/server/security/ssl/SslSocketConnectorFactory.java @@ -73,17 +73,14 @@ private SslConnectionFactory createSslConnectionFactory( SslPolicy sslPolicy ) if ( ciphers != null ) { sslContextFactory.setIncludeCipherSuites( ciphers.toArray( new String[ciphers.size()] ) ); + sslContextFactory.setExcludeCipherSuites(); } - // regardless whether cipher suites are provided by user or not, - // we always remove the cipher filter added in jetty 9.4 to keep the back-compatibility of jetty 9.2 - sslContextFactory.setExcludeCipherSuites(); List protocols = sslPolicy.getTlsVersions(); if ( protocols != null ) { - // If a user specified what protocols they want to use, then apply whatever they added by removing extra jetty filter sslContextFactory.setIncludeProtocols( protocols.toArray( new String[protocols.size()] ) ); - sslContextFactory.setExcludeProtocols(); // remove jetty filter + sslContextFactory.setExcludeProtocols(); } switch ( sslPolicy.getClientAuth() )