diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java index 90d484cea4a0..994b4c6fa15e 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java @@ -596,18 +596,16 @@ private ServerConnector createHttpsChannelConnector( private void setEnabledProtocols(SslContextFactory sslContextFactory) { String enabledProtocols = conf.get(OzoneConfigKeys.OZONE_SSL_ENABLED_PROTOCOLS, conf.get(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)); - if (!enabledProtocols.equals(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)) { - List originalExcludedProtocols = Arrays.asList(sslContextFactory.getExcludeProtocols()); - String[] enabledProtocolsArray = StringUtils.getTrimmedStrings(enabledProtocols); + List originalExcludedProtocols = Arrays.asList(sslContextFactory.getExcludeProtocols()); + String[] enabledProtocolsArray = StringUtils.getTrimmedStrings(enabledProtocols); - List finalExcludedProtocols = new ArrayList<>(originalExcludedProtocols); - finalExcludedProtocols.removeAll(Arrays.asList(enabledProtocolsArray)); + List finalExcludedProtocols = new ArrayList<>(originalExcludedProtocols); + finalExcludedProtocols.removeAll(Arrays.asList(enabledProtocolsArray)); - sslContextFactory.setExcludeProtocols(finalExcludedProtocols.toArray(new String[0])); - LOG.info("Disabled protocols: {}", finalExcludedProtocols); - sslContextFactory.setIncludeProtocols(enabledProtocolsArray); - LOG.info("Enabled protocols: {}", enabledProtocols); - } + sslContextFactory.setExcludeProtocols(finalExcludedProtocols.toArray(new String[0])); + LOG.info("Disabled protocols: {}", finalExcludedProtocols); + sslContextFactory.setIncludeProtocols(enabledProtocolsArray); + LOG.info("Enabled protocols: {}", enabledProtocols); } } diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/http/TestHttpServer2SSL.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/http/TestHttpServer2SSL.java index 9f033d0aca11..f27ac3c201e6 100644 --- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/http/TestHttpServer2SSL.java +++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/server/http/TestHttpServer2SSL.java @@ -17,7 +17,10 @@ package org.apache.hadoop.hdds.server.http; +import static org.junit.jupiter.api.Assertions.assertArrayEquals; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.File; @@ -29,6 +32,7 @@ import java.net.URI; import java.net.URL; import java.security.KeyStore; +import java.util.Arrays; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLHandshakeException; @@ -41,6 +45,9 @@ import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.security.ssl.KeyStoreTestUtil; import org.apache.hadoop.security.ssl.SSLFactory; +import org.eclipse.jetty.server.ServerConnector; +import org.eclipse.jetty.server.SslConnectionFactory; +import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -169,9 +176,58 @@ public void testDefaultConfigAcceptsConnection() throws Exception { } } + @Test + public void testEnabledProtocolAppliedWhenConfigUnset() throws Exception { + OzoneConfiguration serverConf = new OzoneConfiguration(conf); + serverConf.unset(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY); + assertServerAppliesEnabledProtocol(serverConf, SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT); + } + + @Test + public void testEnabledProtocolAppliedWhenConfigSetToDefault() throws Exception { + OzoneConfiguration serverConf = new OzoneConfiguration(conf); + serverConf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT); + assertServerAppliesEnabledProtocol(serverConf, SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT); + } + + @Test + public void testEnabledProtocolAppliedWhenConfigSetToNonDefault() throws Exception { + OzoneConfiguration serverConf = new OzoneConfiguration(conf); + serverConf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, "TLSv1.3"); + assertServerAppliesEnabledProtocol(serverConf, "TLSv1.3"); + } + + private void assertServerAppliesEnabledProtocol( + OzoneConfiguration serverConf, String protocol) throws Exception { + HttpServer2 server = buildServer(serverConf, null, null, null); + server.start(); + try { + ServerConnector listener = server.getListeners().get(0); + SslConnectionFactory connectionFactory = + listener.getConnectionFactory(SslConnectionFactory.class); + assertNotNull(connectionFactory, + "Expected HTTPS listener with an SSL connection factory"); + + SslContextFactory.Server sslContextFactory = + (SslContextFactory.Server) connectionFactory.getSslContextFactory(); + assertArrayEquals(new String[] {protocol}, + sslContextFactory.getIncludeProtocols()); + assertFalse(Arrays.asList(sslContextFactory.getExcludeProtocols()) + .contains(protocol), + "Configured enabled protocol should be removed from excluded protocols"); + } finally { + server.stop(); + } + } + private HttpServer2 buildServer(String excludeCiphers, String includeCiphers, String enabledProtocols) throws Exception { OzoneConfiguration serverConf = new OzoneConfiguration(conf); + return buildServer(serverConf, excludeCiphers, includeCiphers, enabledProtocols); + } + + private HttpServer2 buildServer(OzoneConfiguration serverConf, String excludeCiphers, + String includeCiphers, String enabledProtocols) throws Exception { if (enabledProtocols != null) { serverConf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, enabledProtocols); }