Skip to content

Commit

Permalink
fix fabric8io#5125 allowing for TLS 1.3 only support
Browse files Browse the repository at this point in the history
  • Loading branch information
@shawkins @manusa
shawkins authored and manusa committed May 24, 2023
1 parent a45493a commit 1050f1f
Show file tree
Hide file tree
Showing 7 changed files with 42 additions and 9 deletions.
5 changes: 4 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
### 6.7-SNAPSHOT

#### Bugs
Fix #5145: [java-generator] handle `additionalProperties: true` emitting a field of type `AnyType`
* Fix #5125: TLS 1.3 only should be supported
* Fix #5145: [java-generator] handle `additionalProperties: true` emitting a field of type `AnyType`

#### Improvements

Expand All @@ -20,6 +21,8 @@ Fix #5145: [java-generator] handle `additionalProperties: true` emitting a field
* Fix #4662: removed deprecated classes/methods: ReflectUtils, ReplaceValueStream, ParameterNamespaceListVisitFromServerGetDeleteRecreateWaitApplicable, ResourceCompare, and Serialization methods taking parameters
* Fix #4662: deprecated serialization static logic: several IOHelpers methods, Serialization methods, such as access to the static jsonMapper. Please use KubernetesSerialization methods instead.
* Fix #4662: deprecated Helper.getAnnotationValue, use HasMetadata methods instead.
* Fix #5125: support for TLSv1.3 is now enabled by default
* Fix #5125: usage of TlsVersion.TLS_1_1, TLS_1_0, and SSL_3_0 have been deprecated

### 6.6.2 (2023-05-15)

Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ System properties are preferred over environment variables. The following system
| `kubernetes.max.concurrent.requests.per.host` / `KUBERNETES_MAX_CONCURRENT_REQUESTS_PER_HOST` | | `5` |
| `kubernetes.impersonate.username` / `KUBERNETES_IMPERSONATE_USERNAME` | `Impersonate-User` HTTP header value | |
| `kubernetes.impersonate.group` / `KUBERNETES_IMPERSONATE_GROUP` | `Impersonate-Group` HTTP header value | |
| `kubernetes.tls.versions` / `KUBERNETES_TLS_VERSIONS` | TLS versions separated by `,` | `TLSv1.2` |
| `kubernetes.tls.versions` / `KUBERNETES_TLS_VERSIONS` | TLS versions separated by `,` | `TLSv1.2,TLSv1.3` |
| `kubernetes.truststore.file` / `KUBERNETES_TRUSTSTORE_FILE` | | |
| `kubernetes.truststore.passphrase` / `KUBERNETES_TRUSTSTORE_PASSPHRASE` | | |
| `kubernetes.keystore.file` / `KUBERNETES_KEYSTORE_FILE` | | |
Expand Down
10 changes: 8 additions & 2 deletions ...client-vertx/src/main/java/io/fabric8/kubernetes/client/vertx/VertxHttpClientBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
import io.vertx.core.spi.tls.SslContextFactory;
import io.vertx.ext.web.client.WebClientOptions;

import java.util.Arrays;
import java.util.HashSet;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;

Expand Down Expand Up @@ -73,8 +75,12 @@ public VertxHttpClient<F> build() {
options.setProxyOptions(proxyOptions);
}

final String[] protocols;
if (tlsVersions != null && tlsVersions.length > 0) {
Stream.of(tlsVersions).map(TlsVersion::javaName).forEach(options::addEnabledSecureTransportProtocol);
protocols = Stream.of(tlsVersions).map(TlsVersion::javaName).toArray(String[]::new);
options.setEnabledSecureTransportProtocols(new HashSet<>(Arrays.asList(protocols)));
} else {
protocols = null;
}

if (this.preferHttp11) {
Expand All @@ -98,7 +104,7 @@ public SslContextFactory sslContextFactory() {
IdentityCipherSuiteFilter.INSTANCE,
ApplicationProtocolConfig.DISABLED,
io.netty.handler.ssl.ClientAuth.NONE,
null,
protocols,
false);
}
});
Expand Down
2 changes: 1 addition & 1 deletion kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/Config.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ public class Config {
private String proxyPassword;
private String[] noProxy;
private String userAgent = "fabric8-kubernetes-client/" + Version.clientVersion();
private TlsVersion[] tlsVersions = new TlsVersion[] { TlsVersion.TLS_1_2 };
private TlsVersion[] tlsVersions = new TlsVersion[] { TlsVersion.TLS_1_3, TlsVersion.TLS_1_2 };

private Map<Integer, String> errorMessages = new HashMap<>();

Expand Down
6 changes: 5 additions & 1 deletion kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/http/TlsVersion.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,19 @@

/**
* TODO: determine if java names should be used here as well or instead
*
*
* Replacement for okhttp3.TlsVersion
*/
public enum TlsVersion {

// these need to be kept in preference order
TLS_1_3("TLSv1.3"),
TLS_1_2("TLSv1.2"),
@Deprecated
TLS_1_1("TLSv1.1"),
@Deprecated
TLS_1_0("TLSv1"),
@Deprecated
SSL_3_0("SSLv3"),
;

Expand Down
24 changes: 22 additions & 2 deletions kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/SSLUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

import io.fabric8.kubernetes.client.Config;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.http.TlsVersion;
import io.fabric8.kubernetes.client.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -83,11 +84,30 @@ public static SSLContext sslContext(Config config) throws CertificateException,
}

public static SSLContext sslContext(KeyManager[] keyManagers, TrustManager[] trustManagers) {
SSLContext sslContext = null;
NoSuchAlgorithmException noSuch = null;
// v1.3 is not supported on all vms, and of course there may be later versions added.
// so try to find one starting with the latest
for (TlsVersion version : TlsVersion.values()) {
try {
sslContext = SSLContext.getInstance(version.javaName());
break;
} catch (NoSuchAlgorithmException e) {
if (noSuch == null) {
noSuch = e;
}
continue;
}
}

if (sslContext == null) {
throw KubernetesClientException.launderThrowable(noSuch);
}

try {
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(keyManagers, trustManagers, new SecureRandom());
return sslContext;
} catch (KeyManagementException | NoSuchAlgorithmException e) {
} catch (KeyManagementException e) {
throw KubernetesClientException.launderThrowable(e);
}
}
Expand Down
2 changes: 1 addition & 1 deletion kubernetes-client-api/src/test/java/io/fabric8/kubernetes/client/ConfigTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,7 +599,7 @@ void testEmptyConfig() {
assertTrue(emptyConfig.getImpersonateExtras().isEmpty());
assertEquals(0, emptyConfig.getImpersonateGroups().length);
assertFalse(emptyConfig.isHttp2Disable());
assertEquals(1, emptyConfig.getTlsVersions().length);
assertEquals(2, emptyConfig.getTlsVersions().length);
assertTrue(emptyConfig.getErrorMessages().isEmpty());
assertNotNull(emptyConfig.getUserAgent());
}
Expand Down

0 comments on commit 1050f1f

Please sign in to comment.