Restore ssl settings in reference.conf, see #3022
* Cleanup and addition of configuration tests for remote settings
This commit is contained in:
Patrik Nordwall
parent
814ba1c02a
commit
9ed701a75c
9 changed files with 103 additions and 29 deletions
|
|
@ -316,7 +316,7 @@ An example of setting up the default Netty based SSL driver as default::
|
|||
remote {
|
||||
enabled-transports = [akka.remote.netty.ssl]
|
||||
|
||||
netty.ssl {
|
||||
netty.ssl.security {
|
||||
key-store = "mykeystore"
|
||||
trust-store = "mytruststore"
|
||||
key-store-password = "changeme"
|
||||
|
|
@ -324,7 +324,6 @@ An example of setting up the default Netty based SSL driver as default::
|
|||
protocol = "TLSv1"
|
||||
random-number-generator = "AES128CounterSecureRNG"
|
||||
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
||||
sha1prng-random-source = "/dev/./urandom"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -318,7 +318,7 @@ An example of setting up the default Netty based SSL driver as default::
|
|||
remote {
|
||||
enabled-transports = [akka.remote.netty.ssl]
|
||||
|
||||
netty.ssl {
|
||||
netty.ssl.security {
|
||||
key-store = "mykeystore"
|
||||
trust-store = "mytruststore"
|
||||
key-store-password = "changeme"
|
||||
|
|
@ -326,7 +326,6 @@ An example of setting up the default Netty based SSL driver as default::
|
|||
protocol = "TLSv1"
|
||||
random-number-generator = "AES128CounterSecureRNG"
|
||||
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
||||
sha1prng-random-source = "/dev/./urandom"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -301,6 +301,8 @@ akka {
|
|||
# Max number of threads to cap factor-based number to
|
||||
pool-size-max = 8
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
netty.udp = ${akka.remote.netty.tcp}
|
||||
|
|
@ -310,7 +312,52 @@ akka {
|
|||
|
||||
netty.ssl = ${akka.remote.netty.tcp}
|
||||
netty.ssl = {
|
||||
# Enable SSL/TLS encryption.
|
||||
# This must be enabled on both the client and server to work.
|
||||
enable-ssl = true
|
||||
|
||||
security {
|
||||
# This is the Java Key Store used by the server connection
|
||||
key-store = "keystore"
|
||||
|
||||
# This password is used for decrypting the key store
|
||||
key-store-password = "changeme"
|
||||
|
||||
# This is the Java Key Store used by the client connection
|
||||
trust-store = "truststore"
|
||||
|
||||
# This password is used for decrypting the trust store
|
||||
trust-store-password = "changeme"
|
||||
|
||||
# Protocol to use for SSL encryption, choose from:
|
||||
# Java 6 & 7:
|
||||
# 'SSLv3', 'TLSv1'
|
||||
# Java 7:
|
||||
# 'TLSv1.1', 'TLSv1.2'
|
||||
protocol = "TLSv1"
|
||||
|
||||
# Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
|
||||
# You need to install the JCE Unlimited Strength Jurisdiction Policy
|
||||
# Files to use AES 256.
|
||||
# More info here:
|
||||
# http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
|
||||
enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"]
|
||||
|
||||
# There are three options, in increasing order of security:
|
||||
# "" or SecureRandom => (default)
|
||||
# "SHA1PRNG" => Can be slow because of blocking issues on Linux
|
||||
# "AES128CounterSecureRNG" => fastest startup and based on AES encryption
|
||||
# algorithm
|
||||
# "AES256CounterSecureRNG"
|
||||
# The following use one of 3 possible seed sources, depending on
|
||||
# availability: /dev/random, random.org and SecureRandom (provided by Java)
|
||||
# "AES128CounterInetRNG"
|
||||
# "AES256CounterInetRNG" (Install JCE Unlimited Strength Jurisdiction
|
||||
# Policy Files first)
|
||||
# Setting a value here may require you to supply the appropriate cipher
|
||||
# suite (see enabled-algorithms section above)
|
||||
random-number-generator = ""
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,13 +36,13 @@ private[akka] class SSLSettings(config: Config) {
|
|||
|
||||
// FIXME: Change messages to reflect new configuration
|
||||
if (SSLProtocol.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.enable is turned on but no protocol is defined in 'akka.remote.netty.ssl.protocol'.")
|
||||
"Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no protocol is defined in 'akka.remote.netty.ssl.security.protocol'.")
|
||||
if (SSLKeyStore.isEmpty && SSLTrustStore.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.enable is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.key-store' / 'akka.remote.netty.ssl.trust-store'.")
|
||||
"Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.security.key-store' / 'akka.remote.netty.ssl.security.trust-store'.")
|
||||
if (SSLKeyStore.isDefined && SSLKeyStorePassword.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.key-store-password'.")
|
||||
"Configuration option 'akka.remote.netty.ssl.security.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.security.key-store-password'.")
|
||||
if (SSLTrustStore.isDefined && SSLTrustStorePassword.isEmpty) throw new ConfigurationException(
|
||||
"Configuration option 'akka.remote.netty.ssl.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.trust-store-password'.")
|
||||
"Configuration option 'akka.remote.netty.ssl.security.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.security.trust-store-password'.")
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ class NettyTransportSettings(config: Config) {
|
|||
@deprecated("WARNING: This should only be used by professionals.", "2.0")
|
||||
val PortSelector: Int = getInt("port")
|
||||
|
||||
val SslSettings: Option[SSLSettings] = if (EnableSsl) Some(new SSLSettings(config.getConfig("ssl"))) else None
|
||||
val SslSettings: Option[SSLSettings] = if (EnableSsl) Some(new SSLSettings(config.getConfig("security"))) else None
|
||||
|
||||
val ServerSocketWorkerPoolSize: Int = computeWPS(config.getConfig("server-socket-worker-pool"))
|
||||
|
||||
|
|
|
|||
|
|
@ -4,12 +4,12 @@
|
|||
package akka.remote
|
||||
|
||||
import language.postfixOps
|
||||
|
||||
import akka.testkit.AkkaSpec
|
||||
import akka.actor.ExtendedActorSystem
|
||||
import scala.concurrent.duration._
|
||||
import akka.remote.transport.AkkaProtocolSettings
|
||||
import akka.util.{ Timeout, Helpers }
|
||||
import akka.remote.transport.netty.SSLSettings
|
||||
|
||||
@org.junit.runner.RunWith(classOf[org.scalatest.junit.JUnitRunner])
|
||||
class RemoteConfigSpec extends AkkaSpec(
|
||||
|
|
@ -59,13 +59,41 @@ class RemoteConfigSpec extends AkkaSpec(
|
|||
|
||||
}
|
||||
|
||||
"contain correct configuration values in reference.conf" ignore {
|
||||
"contain correct configuration values in reference.conf" in {
|
||||
val remoteSettings = RARP(system).provider.remoteSettings
|
||||
import remoteSettings._
|
||||
|
||||
LogReceive must be(false)
|
||||
LogSend must be(false)
|
||||
UntrustedMode must be(false)
|
||||
LogRemoteLifecycleEvents must be(false)
|
||||
ShutdownTimeout.duration must be(10 seconds)
|
||||
FlushWait must be(2 seconds)
|
||||
StartupTimeout.duration must be(10 seconds)
|
||||
RetryGateClosedFor must be(Duration.Zero)
|
||||
UnknownAddressGateClosedFor must be(1 minute)
|
||||
UsePassiveConnections must be(true)
|
||||
MaximumRetriesInWindow must be(5)
|
||||
RetryWindow must be(3 seconds)
|
||||
BackoffPeriod must be(10 millis)
|
||||
CommandAckTimeout.duration must be(30 seconds)
|
||||
Transports.size must be(1)
|
||||
Transports.head._1 must be(classOf[akka.remote.transport.netty.NettyTransport].getName)
|
||||
Transports.head._2 must be(Nil)
|
||||
Adapters must be(Map(
|
||||
"gremlin" -> classOf[akka.remote.transport.FailureInjectorProvider].getName,
|
||||
"trttl" -> classOf[akka.remote.transport.ThrottlerProvider].getName))
|
||||
|
||||
}
|
||||
|
||||
"contain correct socket worker pool configuration values in reference.conf" in {
|
||||
val c = RARP(system).provider.remoteSettings.config.getConfig("akka.remote.netty.tcp")
|
||||
|
||||
// server-socket-worker-pool
|
||||
{
|
||||
val pool = c.getConfig("server-socket-worker-pool")
|
||||
pool.getInt("pool-size-min") must equal(2)
|
||||
|
||||
pool.getDouble("pool-size-factor") must equal(1.0)
|
||||
pool.getInt("pool-size-max") must equal(8)
|
||||
}
|
||||
|
|
@ -78,9 +106,17 @@ class RemoteConfigSpec extends AkkaSpec(
|
|||
pool.getInt("pool-size-max") must equal(8)
|
||||
}
|
||||
|
||||
{
|
||||
c.getString("reuse-address") must be("off-for-windows")
|
||||
}
|
||||
}
|
||||
|
||||
"contain correct ssl configuration values in reference.conf" in {
|
||||
val sslSettings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security"))
|
||||
sslSettings.SSLKeyStore must be(Some("keystore"))
|
||||
sslSettings.SSLKeyStorePassword must be(Some("changeme"))
|
||||
sslSettings.SSLTrustStore must be(Some("truststore"))
|
||||
sslSettings.SSLTrustStorePassword must be(Some("changeme"))
|
||||
sslSettings.SSLProtocol must be(Some("TLSv1"))
|
||||
sslSettings.SSLEnabledAlgorithms must be(Set("TLS_RSA_WITH_AES_128_CBC_SHA"))
|
||||
sslSettings.SSLRandomNumberGenerator must be(None)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ object RemotingSpec {
|
|||
remote.netty.udp.hostname = "localhost"
|
||||
remote.netty.ssl.port = 0
|
||||
remote.netty.ssl.hostname = "localhost"
|
||||
remote.netty.ssl.ssl = ${common-ssl-settings}
|
||||
remote.netty.ssl.security = ${common-ssl-settings}
|
||||
|
||||
remote.test {
|
||||
transport-class = "akka.remote.transport.TestTransport"
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ object Configuration {
|
|||
remote.netty.ssl {
|
||||
hostname = localhost
|
||||
port = %d
|
||||
ssl {
|
||||
security {
|
||||
enable = on
|
||||
trust-store = "%s"
|
||||
key-store = "%s"
|
||||
|
|
@ -61,7 +61,7 @@ object Configuration {
|
|||
//if (true) throw new IllegalArgumentException("Ticket1978*Spec isn't enabled")
|
||||
|
||||
val config = ConfigFactory.parseString(conf.format(localPort, trustStore, keyStore, cipher, enabled.mkString(", ")))
|
||||
val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.ssl")
|
||||
val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.security")
|
||||
val settings = new SSLSettings(fullConfig)
|
||||
|
||||
val rng = NettySSLSupport.initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, NoLogging)
|
||||
|
|
|
|||
|
|
@ -8,22 +8,15 @@ import java.util.ArrayList
|
|||
import akka.remote.transport.netty.SSLSettings
|
||||
|
||||
@org.junit.runner.RunWith(classOf[org.scalatest.junit.JUnitRunner])
|
||||
class Ticket1978ConfigSpec extends AkkaSpec with ImplicitSender with DefaultTimeout {
|
||||
|
||||
val cfg = ConfigFactory.parseString("""
|
||||
ssl-settings {
|
||||
key-store = "keystore"
|
||||
trust-store = "truststore"
|
||||
key-store-password = "changeme"
|
||||
trust-store-password = "changeme"
|
||||
protocol = "TLSv1"
|
||||
class Ticket1978ConfigSpec extends AkkaSpec("""
|
||||
akka.remote.netty.ssl.security {
|
||||
random-number-generator = "AES128CounterSecureRNG"
|
||||
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
||||
}""")
|
||||
}
|
||||
""") with ImplicitSender with DefaultTimeout {
|
||||
|
||||
"SSL Remoting" must {
|
||||
"be able to parse these extra Netty config elements" in {
|
||||
val settings = new SSLSettings(cfg.getConfig("ssl-settings"))
|
||||
val settings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security"))
|
||||
|
||||
settings.SSLKeyStore must be(Some("keystore"))
|
||||
settings.SSLKeyStorePassword must be(Some("changeme"))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue