diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java index 7521b460467c..31dd1cb19e4d 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java @@ -58,6 +58,7 @@ import org.apache.ratis.thirdparty.io.netty.channel.nio.NioEventLoopGroup; import org.apache.ratis.thirdparty.io.netty.channel.socket.nio.NioServerSocketChannel; import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder; +import org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -146,7 +147,9 @@ public XceiverServerGrpc(DatanodeDetails datanodeDetails, SslContextBuilder sslContextBuilder = GrpcSslContexts.configure( sslClientContextBuilder, secConf.getGrpcSslProvider()); sslContextBuilder.protocols(secConf.getGrpcTlsProtocols()); - sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers()); + sslContextBuilder.ciphers( + secConf.getGrpcTlsCiphers(), + SupportedCipherSuiteFilter.INSTANCE); nettyServerBuilder.sslContext(sslContextBuilder.build()); } catch (Exception ex) { LOG.error("Unable to setup TLS for secure datanode GRPC endpoint.", ex); diff --git a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java index 3c1c6a54efb5..f2d06c2f6b1c 100644 --- a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java +++ b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java @@ -44,6 +44,7 @@ import org.apache.ratis.thirdparty.io.grpc.netty.NettyServerBuilder; import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth; import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder; +import org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -121,7 +122,9 @@ public void init() { sslContextBuilder.clientAuth(ClientAuth.REQUIRE); sslContextBuilder.trustManager(caClient.getTrustManager()); sslContextBuilder.protocols(secConf.getGrpcTlsProtocols()); - sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers()); + sslContextBuilder.ciphers( + secConf.getGrpcTlsCiphers(), + SupportedCipherSuiteFilter.INSTANCE); nettyServerBuilder.sslContext(sslContextBuilder.build()); } catch (IOException ex) { diff --git a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java index 482a86b79dea..443312282fdf 100644 --- a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java +++ b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java @@ -51,6 +51,7 @@ import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth; import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder; import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider; +import org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -146,6 +147,26 @@ public void testDefaultConfigAcceptsConnection() throws Exception { } } + @Test + public void testServerIgnoresUnsupportedConfiguredCiphers() throws Exception { + Server server = null; + ManagedChannel channel = null; + try { + String[] configuredCiphers = { + "TLS_FAKE_CIPHER_SUITE", + "TLS_AES_256_GCM_SHA384" + }; + server = setupServer(new String[]{"TLSv1.3"}, configuredCiphers); + server.start(); + channel = setupClient(server.getPort(), new String[]{"TLSv1.3"}, new String[]{"TLS_AES_256_GCM_SHA384"}); + XceiverClientProtocolServiceStub asyncStub = XceiverClientProtocolServiceGrpc.newStub(channel); + ContainerCommandResponseProto response = sendRequest(asyncStub); + assertEquals(SUCCESS, response.getResult()); + } finally { + shutdown(channel, server); + } + } + private Server setupServer(String[] protocols, String[] ciphers) throws Exception { NettyServerBuilder nettyServerBuilder = NettyServerBuilder.forPort(0).addService(new GrpcService()); @@ -157,7 +178,9 @@ private Server setupServer(String[] protocols, String[] ciphers) sslContextBuilder.protocols(protocols); } if (ciphers != null) { - sslContextBuilder.ciphers(Arrays.asList(ciphers)); + sslContextBuilder.ciphers( + Arrays.asList(ciphers), + SupportedCipherSuiteFilter.INSTANCE); } nettyServerBuilder.sslContext(sslContextBuilder.build()); return nettyServerBuilder.build(); diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java index 1aa1fa7bfc93..8b4086a69d92 100644 --- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java +++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java @@ -35,6 +35,7 @@ import org.apache.ratis.thirdparty.io.grpc.netty.NettyServerBuilder; import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth; import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder; +import org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -75,7 +76,9 @@ public class InterSCMGrpcProtocolService { sslServerContextBuilder, securityConfig.getGrpcSslProvider()); sslContextBuilder.clientAuth(ClientAuth.REQUIRE); sslContextBuilder.protocols(securityConfig.getGrpcTlsProtocols()); - sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); + sslContextBuilder.ciphers( + securityConfig.getGrpcTlsCiphers(), + SupportedCipherSuiteFilter.INSTANCE); nettyServerBuilder.sslContext(sslContextBuilder.build()); } catch (Exception ex) { LOG.error("Unable to setup TLS for secure " + diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java index 520a434a69b4..a05dc47c9b0f 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java @@ -38,6 +38,7 @@ import io.netty.channel.socket.nio.NioServerSocketChannel; import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslProvider; +import io.netty.handler.ssl.SupportedCipherSuiteFilter; import java.io.IOException; import java.util.OptionalInt; import java.util.concurrent.LinkedBlockingQueue; @@ -165,7 +166,9 @@ public void init(OzoneManagerProtocolServerSideTranslatorPB omTranslator, SslProvider.valueOf(omServerConfig.get(HDDS_GRPC_TLS_PROVIDER, HDDS_GRPC_TLS_PROVIDER_DEFAULT))); sslContextBuilder.protocols(secConf.getGrpcTlsProtocols()); - sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers()); + sslContextBuilder.ciphers( + secConf.getGrpcTlsCiphers(), + SupportedCipherSuiteFilter.INSTANCE); nettyServerBuilder.sslContext(sslContextBuilder.build()); } catch (Exception ex) { LOG.error("Unable to setup TLS for secure Om S3g GRPC channel.", ex);