try making TLS v1.3 the default (#1901)

* try making TLS v1.3 the default * tls 1.3 in docs and some test fixes (new cipher suites) * remove TLS_CHACHA20_POLY1305_SHA256 * run java 24 tests * Update RemoteConfigSpec.scala * Revert "run java 24 tests" This reverts commit 479408951303e4389b88d288a5ac4aa0d448c4d3. * test issues * Update TcpSpec.scala
2025-06-24 10:23:14 +01:00 · 2025-06-24 10:23:14 +01:00 · 220981a141
commit 220981a141
parent 9577b01b10
8 changed files with 38 additions and 25 deletions
--- a/docs/src/main/paradox/remoting-artery.md
+++ b/docs/src/main/paradox/remoting-artery.md
@ -292,9 +292,9 @@ pekko.remote.artery {
    key-password = ${SSL_KEY_PASSWORD}
    trust-store-password = ${SSL_TRUST_STORE_PASSWORD}

-    protocol = "TLSv1.2"
+    protocol = "TLSv1.3"

-    enabled-algorithms = [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256]
+    enabled-algorithms = [TLS_AES_256_GCM_SHA384]
  }
 }
 ```
@ -309,6 +309,12 @@ According to [RFC 7525](https://www.rfc-editor.org/rfc/rfc7525.html) the recomme
 * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

+For TLS 1.3, these are good options:
+
+ * TLS_AES_128_GCM_SHA256
+ * TLS_AES_256_GCM_SHA384
+ * TLS_CHACHA20_POLY1305_SHA256 (may not be supported on Java 8 runtimes)
+
 You should always check the latest information about security and algorithm recommendations though before you configure your system.

 Since a Pekko remoting is inherently @ref:[peer-to-peer](general/remoting.md#symmetric-communication) both the key-store as well as trust-store
--- a/docs/src/main/paradox/remoting.md
+++ b/docs/src/main/paradox/remoting.md
@ -467,9 +467,9 @@ pekko {
        key-password = ${SSL_KEY_PASSWORD}
        trust-store-password = ${SSL_TRUST_STORE_PASSWORD}

-        protocol = "TLSv1.2"
+        protocol = "TLSv1.3"

-        enabled-algorithms = [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256]
+        enabled-algorithms = [TLS_AES_256_GCM_SHA384]
      }
    }
  }
--- a/remote/src/main/resources/reference.conf
+++ b/remote/src/main/resources/reference.conf
@ -704,20 +704,22 @@ pekko {
          trust-store-password = "changeme"

          # Protocol to use for SSL encryption.
-          protocol = "TLSv1.2"
+          protocol = "TLSv1.3"

-          # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
+          # Example for TLSv1.2: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
          #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
          #   "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
          #   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+          # Example for TLSv1.3: ["TLS_AES_128_GCM_SHA256",
+          #   "TLS_AES_256_GCM_SHA384"]
          # When doing rolling upgrades, make sure to include both the algorithm used 
          # by old nodes and the preferred algorithm.
          # If you use a JDK 8 prior to 8u161 you need to install
          # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
          # More info here:
          # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
-          enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_RSA_WITH_AES_128_CBC_SHA"]
+          enabled-algorithms = ["TLS_AES_128_GCM_SHA256",
+            "TLS_AES_256_GCM_SHA384"]

          # There are two options, and the default SecureRandom is recommended:
          # "" or "SecureRandom" => (default)
@ -1188,20 +1190,22 @@ pekko {
          trust-store-password = "changeme"

          # Protocol to use for SSL encryption.
-          protocol = "TLSv1.2"
+          protocol = "TLSv1.3"

-          # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
+          # Example for TLSv1.2: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
          #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
          #   "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
          #   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+          # Example for TLSv1.3: ["TLS_AES_128_GCM_SHA256",
+          #   "TLS_AES_256_GCM_SHA384"]
          # When doing rolling upgrades, make sure to include both the algorithm used 
          # by old nodes and the preferred algorithm.
          # If you use a JDK 8 prior to 8u161 you need to install
          # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
          # More info here:
          # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
-          enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_RSA_WITH_AES_128_CBC_SHA"]
+          enabled-algorithms = ["TLS_AES_128_GCM_SHA256",
+            "TLS_AES_256_GCM_SHA384"]

          # There are two options, and the default SecureRandom is recommended:
          # "" or "SecureRandom" => (default)
@ -1264,18 +1268,21 @@ pekko {
          # suite (see enabled-algorithms section)
          random-number-generator = ""

-          # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+          # Example for TLSv1.2: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
          #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
          #   "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
          #   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+          # Example for TLSv1.3: ["TLS_AES_128_GCM_SHA256",
+          #   "TLS_AES_256_GCM_SHA384"]
          # If you use a JDK 8 prior to 8u161 you need to install
          # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
          # More info here:
          # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
-          enabled-algorithms = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+          enabled-algorithms = ["TLS_AES_128_GCM_SHA256",
+            "TLS_AES_256_GCM_SHA384"]

          # Protocol to use for SSL encryption.
-          protocol = "TLSv1.2"
+          protocol = "TLSv1.3"

          # How long should an SSLContext instance be cached. When rotating keys and certificates,
          # there must a time overlap between the old certificate/key and the new ones. The
--- a/remote/src/test/scala/org/apache/pekko/remote/RemoteConfigSpec.scala
+++ b/remote/src/test/scala/org/apache/pekko/remote/RemoteConfigSpec.scala
@ -140,9 +140,9 @@ class RemoteConfigSpec extends PekkoSpec("""
      sslSettings.SSLKeyPassword should ===("changeme")
      sslSettings.SSLTrustStore should ===("truststore")
      sslSettings.SSLTrustStorePassword should ===("changeme")
-      sslSettings.SSLProtocol should ===("TLSv1.2")
+      sslSettings.SSLProtocol should ===("TLSv1.3")
      sslSettings.SSLEnabledAlgorithms should ===(
-        Set("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"))
+        Set("TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"))
      sslSettings.SSLRandomNumberGenerator should ===("")
    }

--- a/remote/src/test/scala/org/apache/pekko/remote/Ticket1978ConfigSpec.scala
+++ b/remote/src/test/scala/org/apache/pekko/remote/Ticket1978ConfigSpec.scala
@ -32,9 +32,9 @@ class Ticket1978ConfigSpec extends PekkoSpec("""
      settings.SSLKeyPassword should ===("changeme")
      settings.SSLTrustStore should ===("truststore")
      settings.SSLTrustStorePassword should ===("changeme")
-      settings.SSLProtocol should ===("TLSv1.2")
+      settings.SSLProtocol should ===("TLSv1.3")
      settings.SSLEnabledAlgorithms should ===(
-        Set("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"))
+        Set("TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"))
      settings.SSLRandomNumberGenerator should ===("SecureRandom")
    }
  }
--- a/remote/src/test/scala/org/apache/pekko/remote/artery/tcp/TlsTcpSpec.scala
+++ b/remote/src/test/scala/org/apache/pekko/remote/artery/tcp/TlsTcpSpec.scala
@ -39,7 +39,7 @@ class TlsTcpWithSHA1PRNGSpec
    extends TlsTcpSpec(ConfigFactory.parseString("""
    pekko.remote.artery.ssl.config-ssl-engine {
      random-number-generator = "SHA1PRNG"
-      enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"]
+      enabled-algorithms = ["TLS_AES_256_GCM_SHA384"]
    }
    """))

@ -47,7 +47,7 @@ class TlsTcpWithDefaultRNGSecureSpec
    extends TlsTcpSpec(ConfigFactory.parseString("""
    pekko.remote.artery.ssl.config-ssl-engine {
      random-number-generator = ""
-      enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"]
+      enabled-algorithms = ["TLS_AES_256_GCM_SHA384"]
    }
    """))

--- a/stream-tests/src/test/java/org/apache/pekko/stream/javadsl/TcpTest.java
+++ b/stream-tests/src/test/java/org/apache/pekko/stream/javadsl/TcpTest.java
@ -203,7 +203,7 @@ public class TcpTest extends StreamTest {
      keyManagerFactory.init(keyStore, password);

      // init ssl context
-      SSLContext context = SSLContext.getInstance("TLSv1.2");
+      SSLContext context = SSLContext.getInstance("TLSv1.3");
      context.init(
          keyManagerFactory.getKeyManagers(),
          trustManagerFactory.getTrustManagers(),
--- a/stream-tests/src/test/scala/org/apache/pekko/stream/io/TcpSpec.scala
+++ b/stream-tests/src/test/scala/org/apache/pekko/stream/io/TcpSpec.scala
@ -954,7 +954,7 @@ class TcpSpec extends StreamSpec("""
      keyManagerFactory.init(keyStore, password)

      // init ssl context
-      val context = SSLContext.getInstance("TLSv1.2")
+      val context = SSLContext.getInstance("TLSv1.3")
      context.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom)
      context
    }
@ -964,8 +964,8 @@ class TcpSpec extends StreamSpec("""
      val engine = sslContext.createSSLEngine()

      engine.setUseClientMode(role == pekko.stream.Client)
-      engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_128_CBC_SHA"))
-      engine.setEnabledProtocols(Array("TLSv1.2"))
+      engine.setEnabledCipherSuites(Array("TLS_AES_256_GCM_SHA384"))
+      engine.setEnabledProtocols(Array("TLSv1.3"))

      engine
    }