[improve][broker-web&websocket&proxy&function-worker] Full-support set ssl provider, ciphers and protocols #13740

nodece · 2022-01-13T11:19:40Z

Signed-off-by: Zixuan Liu nodeces@gmail.com

Motivation

Pulsar doesn't set ssl provider, ciphers and protocols to the web, websocket and proxy service when tlsEnabledWithKeyStore=false

Modifications

Add org.apache.pulsar.jetty.tls package in pulsar-broker-common for Jetty TLS support
Add a new webServiceTlsProvider=Conscrypt to broker and proxy config
Update Conscrypt as the tlsProvider value in websocket config

In the old version, we implicitly use the Conscrypt provider, now we need to set it explicitly.

Documentation

Need to update docs?

doc-required

Effected version

Pulsar 2.8.x
Pulsar 2.9.x

nodece · 2022-01-17T04:25:52Z

/pulsarbot run-failure-checks

tuteng

LGTM

michaeljmarshall

@nodece - would you please add a README.md file to the resources directories where the certificates and the .jks files are added explaining how they were created/generated? Adding this documentation will help any future troubleshooting that might be necessary for these tests, and it'll help someone verify the files, if they would like to do so. Thanks!

BewareMyPower · 2022-04-28T05:21:39Z

where the certificates and the .jks files are added explaining how they were created/generated?

I've asked the question offline before. It looks like these binaries are copied from #13354 (I'm not sure why the sizes are a little different), whose documents will be added later. I'm just wondering that is there a good way to reference the same resources in two modules?

nodece · 2022-04-28T06:17:20Z

@nodece - would you please add a README.md file to the resources directories where the certificates and the .jks files are added explaining how they were created/generated? Adding this documentation will help any future troubleshooting that might be necessary for these tests, and it'll help someone verify the files, if they would like to do so. Thanks!

Thanks for your point!

I want to do this next PR, we have multiple public certificates and keystore file in Pulsar, these also need to improve.

@michaeljmarshall

nodece · 2022-04-28T08:53:12Z

@eolivelli Could you help review this PR?

eolivelli

LGTM

michaeljmarshall · 2022-04-29T14:35:39Z

Thanks for clarifying @BewareMyPower and @nodece. It makes sense to add in another PR, especially if we have multiple resources to document.

nodece · 2022-04-29T15:54:36Z

Thanks for clarifying @BewareMyPower and @nodece. It makes sense to add in another PR, especially if we have multiple resources to document.

@michaeljmarshall Thanks, could you approve this PR? then I do these things.

michaeljmarshall

LGTM

nodece · 2022-04-30T08:04:21Z

/pulsarbot rerun-failure-checks

codelipenghui · 2022-04-30T10:15:21Z

/pulsarbot run-failure-checks

…t ssl provider, ciphers and protocols Signed-off-by: Zixuan Liu <nodeces@gmail.com>

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

nodece · 2022-04-30T10:21:51Z

Forch-pushed for rebase the master branch.

nodece · 2022-04-30T13:13:47Z

/pulsarbot run-failure-checks

…t ssl provider, ciphers and protocols (#13740) Fixes #13734 Pulsar doesn't set ssl provider, ciphers and protocols to the web, websocket and proxy service when `tlsEnabledWithKeyStore=false` - Add `org.apache.pulsar.jetty.tls` package in pulsar-broker-common for Jetty TLS support - Add a new `webServiceTlsProvider=Conscrypt` to broker and proxy config - Update `Conscrypt` as the `tlsProvider` value in websocket config In the old version, we implicitly use the `Conscrypt` provider, now we need to set it explicitly. (cherry picked from commit bf15e83)

…t ssl provider, ciphers and protocols (apache#13740) Fixes apache#13734 Pulsar doesn't set ssl provider, ciphers and protocols to the web, websocket and proxy service when `tlsEnabledWithKeyStore=false` - Add `org.apache.pulsar.jetty.tls` package in pulsar-broker-common for Jetty TLS support - Add a new `webServiceTlsProvider=Conscrypt` to broker and proxy config - Update `Conscrypt` as the `tlsProvider` value in websocket config In the old version, we implicitly use the `Conscrypt` provider, now we need to set it explicitly. (cherry picked from commit bf15e83) (cherry picked from commit fb0cb76)

…t ssl provider, ciphers and protocols (apache#13740) Fixes apache#13734 Pulsar doesn't set ssl provider, ciphers and protocols to the web, websocket and proxy service when `tlsEnabledWithKeyStore=false` - Add `org.apache.pulsar.jetty.tls` package in pulsar-broker-common for Jetty TLS support - Add a new `webServiceTlsProvider=Conscrypt` to broker and proxy config - Update `Conscrypt` as the `tlsProvider` value in websocket config In the old version, we implicitly use the `Conscrypt` provider, now we need to set it explicitly. (cherry picked from commit bf15e83) (cherry picked from commit b28f541)

nodece force-pushed the fix_tls_config branch from d7d57ca to 3a027f5 Compare January 13, 2022 11:22

github-actions bot assigned nodece Jan 13, 2022

github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jan 13, 2022

nodece marked this pull request as draft January 13, 2022 15:13

nodece force-pushed the fix_tls_config branch 2 times, most recently from 642124f to ea13113 Compare January 14, 2022 04:49

nodece marked this pull request as ready for review January 14, 2022 04:50

nodece force-pushed the fix_tls_config branch 3 times, most recently from 2aea92d to fccc371 Compare January 14, 2022 08:52

nodece marked this pull request as draft January 14, 2022 16:38

nodece force-pushed the fix_tls_config branch 2 times, most recently from 2581c78 to 74c462a Compare January 15, 2022 15:18

nodece marked this pull request as ready for review January 15, 2022 15:25

limbonicat previously approved these changes Jan 17, 2022

View reviewed changes

nodece changed the title ~~[Broker] Fix config ciphers and protocols to web server~~ [Broker] Fix handshake failure on web service Jan 17, 2022

nodece force-pushed the fix_tls_config branch 2 times, most recently from 2c82a67 to 4f36929 Compare January 17, 2022 03:32

nodece changed the title ~~[Broker] Fix handshake failure on web service~~ [Security] Fix handshake failure on web service Jan 17, 2022

codelipenghui added this to the 2.10.0 milestone Jan 17, 2022

codelipenghui added release/2.8.3 release/2.9.3 labels Jan 17, 2022

codelipenghui requested review from 315157973, eolivelli, hangc0276, hezhangjian, lhotari and merlimat January 17, 2022 04:28

tuteng previously approved these changes Jan 17, 2022

View reviewed changes

Technoboy- approved these changes Apr 28, 2022

View reviewed changes

michaeljmarshall requested changes Apr 28, 2022

View reviewed changes

nodece requested a review from michaeljmarshall April 28, 2022 06:19

RobertIndie approved these changes Apr 28, 2022

View reviewed changes

eolivelli approved these changes Apr 29, 2022

View reviewed changes

michaeljmarshall approved these changes Apr 29, 2022

View reviewed changes

nodece added 2 commits April 30, 2022 18:19

[improve][broker-web&websocket&proxy&function-worker] Full-support se…

76fc923

…t ssl provider, ciphers and protocols Signed-off-by: Zixuan Liu <nodeces@gmail.com>

Fix load Conscrypt provider

f3c74b0

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

nodece force-pushed the fix_tls_config branch from 84046c5 to f3c74b0 Compare April 30, 2022 10:19

codelipenghui merged commit bf15e83 into apache:master May 1, 2022

codelipenghui added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label May 5, 2022

codelipenghui added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label May 5, 2022

momo-jun mentioned this pull request May 5, 2022

[feature][doc] Add configs for full-support tls provider and managed cursor compression #15210

Merged

1 task

Anonymitaet added doc-complete Your PR changes impact docs and the related docs have been already added. and removed doc-required Your PR changes impact docs and you will update later. labels May 5, 2022

codelipenghui added the cherry-picked/branch-2.10 label May 20, 2022

[improve][broker-web&websocket&proxy&function-worker] Full-support set ssl provider, ciphers and protocols #13740

[improve][broker-web&websocket&proxy&function-worker] Full-support set ssl provider, ciphers and protocols #13740

Uh oh!

Conversation

nodece commented Jan 13, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Motivation

Modifications

Documentation

Effected version

Uh oh!

nodece commented Jan 17, 2022

Uh oh!

tuteng left a comment

Choose a reason for hiding this comment

Uh oh!

michaeljmarshall left a comment

Choose a reason for hiding this comment

Uh oh!

BewareMyPower commented Apr 28, 2022

Uh oh!

nodece commented Apr 28, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodece commented Apr 28, 2022

Uh oh!

eolivelli left a comment

Choose a reason for hiding this comment

Uh oh!

michaeljmarshall commented Apr 29, 2022

Uh oh!

nodece commented Apr 29, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

michaeljmarshall left a comment

Choose a reason for hiding this comment

Uh oh!

nodece commented Apr 30, 2022

Uh oh!

codelipenghui commented Apr 30, 2022

Uh oh!

nodece commented Apr 30, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodece commented Apr 30, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

nodece commented Jan 13, 2022 •

edited

Loading

nodece commented Apr 28, 2022 •

edited

Loading

nodece commented Apr 29, 2022 •

edited

Loading

nodece commented Apr 30, 2022 •

edited

Loading