From 5bc264d80b252af182c5791596ffee989569946f Mon Sep 17 00:00:00 2001
From: Ignasi Marimon-Clos <ignasi@lightbend.com>
Date: Fri, 8 May 2020 20:36:43 +0200
Subject: [PATCH 1/2] Review defaults for TLS algorithms defaults

---
 akka-remote/src/main/resources/reference.conf | 20 +++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/akka-remote/src/main/resources/reference.conf b/akka-remote/src/main/resources/reference.conf
index 9baa1ba5e3..8e74e151c8 100644
--- a/akka-remote/src/main/resources/reference.conf
+++ b/akka-remote/src/main/resources/reference.conf
@@ -661,12 +661,18 @@ akka {
         # https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
         protocol = "TLSv1.2"
 
-        # Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
+        # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
+        #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        #   "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+        #   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+        # When doing rolling upgrades, make sure to include both the algorithm used 
+        # by old nodes and the preferred algorithm.
         # If you use a JDK 8 prior to 8u161 you need to install
         # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
         # More info here:
         # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
-        enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"]
+        enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA",
+        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"]
 
         # There are two options, and the default SecureRandom is recommended:
         # "" or "SecureRandom" => (default)
@@ -1133,12 +1139,18 @@ akka {
           # https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
           protocol = "TLSv1.2"
 
-          # Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
+          # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
+          #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          #   "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+          #   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+          # When doing rolling upgrades, make sure to include both the algorithm used 
+          # by old nodes and the preferred algorithm.
           # If you use a JDK 8 prior to 8u161 you need to install
           # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
           # More info here:
           # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
-          enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"]
+          enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA",
+          "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"]
 
           # There are two options, and the default SecureRandom is recommended:
           # "" or "SecureRandom" => (default)

From 99d75a4b4195fa65a1415fb574acd6949cf86b19 Mon Sep 17 00:00:00 2001
From: Ignasi Marimon-Clos <ignasi@lightbend.com>
Date: Mon, 11 May 2020 15:49:34 +0200
Subject: [PATCH 2/2] Reviews tests asserting default values

---
 akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala  | 3 ++-
 .../src/test/scala/akka/remote/Ticket1978ConfigSpec.scala      | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala b/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala
index 65fe6e2f23..321ba259a7 100644
--- a/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala
+++ b/akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala
@@ -130,7 +130,8 @@ class RemoteConfigSpec extends AkkaSpec("""
       sslSettings.SSLTrustStore should ===("truststore")
       sslSettings.SSLTrustStorePassword should ===("changeme")
       sslSettings.SSLProtocol should ===("TLSv1.2")
-      sslSettings.SSLEnabledAlgorithms should ===(Set("TLS_RSA_WITH_AES_128_CBC_SHA"))
+      sslSettings.SSLEnabledAlgorithms should ===(
+        Set("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"))
       sslSettings.SSLRandomNumberGenerator should ===("")
     }
 
diff --git a/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala b/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala
index b9c3dde0f2..e2114219e2 100644
--- a/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala
+++ b/akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala
@@ -23,7 +23,8 @@ class Ticket1978ConfigSpec extends AkkaSpec("""
       settings.SSLTrustStore should ===("truststore")
       settings.SSLTrustStorePassword should ===("changeme")
       settings.SSLProtocol should ===("TLSv1.2")
-      settings.SSLEnabledAlgorithms should ===(Set("TLS_RSA_WITH_AES_128_CBC_SHA"))
+      settings.SSLEnabledAlgorithms should ===(
+        Set("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"))
       settings.SSLRandomNumberGenerator should ===("SecureRandom")
     }
   }