Restore ssl settings in reference.conf, see #3022

* Cleanup and addition of configuration tests for remote settings

akka-docs/rst/java/remoting.rst

@@ -316,7 +316,7 @@ An example of setting up the default Netty based SSL driver as default::
     remote {
       enabled-transports = [akka.remote.netty.ssl]
 
-      netty.ssl {
+      netty.ssl.security {
         key-store = "mykeystore"
         trust-store = "mytruststore"
         key-store-password = "changeme"
@@ -324,7 +324,6 @@ An example of setting up the default Netty based SSL driver as default::
         protocol = "TLSv1"
         random-number-generator = "AES128CounterSecureRNG"
         enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
-        sha1prng-random-source = "/dev/./urandom"
       }
     }
   }

akka-docs/rst/scala/remoting.rst

@@ -318,7 +318,7 @@ An example of setting up the default Netty based SSL driver as default::
     remote {
       enabled-transports = [akka.remote.netty.ssl]
 
-      netty.ssl {
+      netty.ssl.security {
         key-store = "mykeystore"
         trust-store = "mytruststore"
         key-store-password = "changeme"
@@ -326,7 +326,6 @@ An example of setting up the default Netty based SSL driver as default::
         protocol = "TLSv1"
         random-number-generator = "AES128CounterSecureRNG"
         enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
-        sha1prng-random-source = "/dev/./urandom"
       }
     }
   }

akka-remote/src/main/resources/reference.conf

@@ -301,6 +301,8 @@ akka {
         # Max number of threads to cap factor-based number to
         pool-size-max = 8
       }
+
+
     }
 
     netty.udp = ${akka.remote.netty.tcp}
@@ -310,7 +312,52 @@ akka {
 
     netty.ssl = ${akka.remote.netty.tcp}
     netty.ssl = {
+      # Enable SSL/TLS encryption.
+      # This must be enabled on both the client and server to work.
       enable-ssl = true
+
+      security {
+        # This is the Java Key Store used by the server connection
+        key-store = "keystore"
+
+        # This password is used for decrypting the key store
+        key-store-password = "changeme"
+
+        # This is the Java Key Store used by the client connection
+        trust-store = "truststore"
+
+        # This password is used for decrypting the trust store
+        trust-store-password = "changeme"
+
+        # Protocol to use for SSL encryption, choose from:
+        # Java 6 & 7:
+        #   'SSLv3', 'TLSv1'
+        # Java 7:
+        #   'TLSv1.1', 'TLSv1.2'
+        protocol = "TLSv1"
+
+        # Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
+        # You need to install the JCE Unlimited Strength Jurisdiction Policy
+        # Files to use AES 256.
+        # More info here:
+        # http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
+        enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"]
+
+        # There are three options, in increasing order of security:
+        # "" or SecureRandom => (default)
+        # "SHA1PRNG" => Can be slow because of blocking issues on Linux
+        # "AES128CounterSecureRNG" => fastest startup and based on AES encryption
+        # algorithm
+        # "AES256CounterSecureRNG"
+        # The following use one of 3 possible seed sources, depending on
+        # availability: /dev/random, random.org and SecureRandom (provided by Java)
+        # "AES128CounterInetRNG"
+        # "AES256CounterInetRNG" (Install JCE Unlimited Strength Jurisdiction
+        # Policy Files first)
+        # Setting a value here may require you to supply the appropriate cipher
+        # suite (see enabled-algorithms section above)
+        random-number-generator = ""
+      }
     }
 
   }

akka-remote/src/main/scala/akka/remote/transport/netty/NettySSLSupport.scala

@@ -36,13 +36,13 @@ private[akka] class SSLSettings(config: Config) {
 
   // FIXME: Change messages to reflect new configuration
   if (SSLProtocol.isEmpty) throw new ConfigurationException(
-    "Configuration option 'akka.remote.netty.ssl.enable is turned on but no protocol is defined in 'akka.remote.netty.ssl.protocol'.")
+    "Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no protocol is defined in 'akka.remote.netty.ssl.security.protocol'.")
   if (SSLKeyStore.isEmpty && SSLTrustStore.isEmpty) throw new ConfigurationException(
-    "Configuration option 'akka.remote.netty.ssl.enable is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.key-store' / 'akka.remote.netty.ssl.trust-store'.")
+    "Configuration option 'akka.remote.netty.ssl.enable-ssl is turned on but no key/trust store is defined in 'akka.remote.netty.ssl.security.key-store' / 'akka.remote.netty.ssl.security.trust-store'.")
   if (SSLKeyStore.isDefined && SSLKeyStorePassword.isEmpty) throw new ConfigurationException(
-    "Configuration option 'akka.remote.netty.ssl.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.key-store-password'.")
+    "Configuration option 'akka.remote.netty.ssl.security.key-store' is defined but no key-store password is defined in 'akka.remote.netty.ssl.security.key-store-password'.")
   if (SSLTrustStore.isDefined && SSLTrustStorePassword.isEmpty) throw new ConfigurationException(
-    "Configuration option 'akka.remote.netty.ssl.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.trust-store-password'.")
+    "Configuration option 'akka.remote.netty.ssl.security.trust-store' is defined but no trust-store password is defined in 'akka.remote.netty.ssl.security.trust-store-password'.")
 }
 
 /**

akka-remote/src/main/scala/akka/remote/transport/netty/NettyTransport.scala

@@ -110,7 +110,7 @@ class NettyTransportSettings(config: Config) {
   @deprecated("WARNING: This should only be used by professionals.", "2.0")
   val PortSelector: Int = getInt("port")
 
-  val SslSettings: Option[SSLSettings] = if (EnableSsl) Some(new SSLSettings(config.getConfig("ssl"))) else None
+  val SslSettings: Option[SSLSettings] = if (EnableSsl) Some(new SSLSettings(config.getConfig("security"))) else None
 
   val ServerSocketWorkerPoolSize: Int = computeWPS(config.getConfig("server-socket-worker-pool"))
 

akka-remote/src/test/scala/akka/remote/RemoteConfigSpec.scala

@@ -4,12 +4,12 @@
 package akka.remote
 
 import language.postfixOps
-
 import akka.testkit.AkkaSpec
 import akka.actor.ExtendedActorSystem
 import scala.concurrent.duration._
 import akka.remote.transport.AkkaProtocolSettings
 import akka.util.{ Timeout, Helpers }
+import akka.remote.transport.netty.SSLSettings
 
 @org.junit.runner.RunWith(classOf[org.scalatest.junit.JUnitRunner])
 class RemoteConfigSpec extends AkkaSpec(
@@ -59,13 +59,41 @@ class RemoteConfigSpec extends AkkaSpec(
 
     }
 
-    "contain correct configuration values in reference.conf" ignore {
+    "contain correct configuration values in reference.conf" in {
+      val remoteSettings = RARP(system).provider.remoteSettings
+      import remoteSettings._
+
+      LogReceive must be(false)
+      LogSend must be(false)
+      UntrustedMode must be(false)
+      LogRemoteLifecycleEvents must be(false)
+      ShutdownTimeout.duration must be(10 seconds)
+      FlushWait must be(2 seconds)
+      StartupTimeout.duration must be(10 seconds)
+      RetryGateClosedFor must be(Duration.Zero)
+      UnknownAddressGateClosedFor must be(1 minute)
+      UsePassiveConnections must be(true)
+      MaximumRetriesInWindow must be(5)
+      RetryWindow must be(3 seconds)
+      BackoffPeriod must be(10 millis)
+      CommandAckTimeout.duration must be(30 seconds)
+      Transports.size must be(1)
+      Transports.head._1 must be(classOf[akka.remote.transport.netty.NettyTransport].getName)
+      Transports.head._2 must be(Nil)
+      Adapters must be(Map(
+        "gremlin" -> classOf[akka.remote.transport.FailureInjectorProvider].getName,
+        "trttl" -> classOf[akka.remote.transport.ThrottlerProvider].getName))
+
+    }
+
+    "contain correct socket worker pool configuration values in reference.conf" in {
       val c = RARP(system).provider.remoteSettings.config.getConfig("akka.remote.netty.tcp")
 
       // server-socket-worker-pool
       {
         val pool = c.getConfig("server-socket-worker-pool")
         pool.getInt("pool-size-min") must equal(2)
+
         pool.getDouble("pool-size-factor") must equal(1.0)
         pool.getInt("pool-size-max") must equal(8)
       }
@@ -78,9 +106,17 @@ class RemoteConfigSpec extends AkkaSpec(
         pool.getInt("pool-size-max") must equal(8)
       }
 
-      {
+    }
-        c.getString("reuse-address") must be("off-for-windows")
+
-      }
+    "contain correct ssl configuration values in reference.conf" in {
+      val sslSettings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security"))
+      sslSettings.SSLKeyStore must be(Some("keystore"))
+      sslSettings.SSLKeyStorePassword must be(Some("changeme"))
+      sslSettings.SSLTrustStore must be(Some("truststore"))
+      sslSettings.SSLTrustStorePassword must be(Some("changeme"))
+      sslSettings.SSLProtocol must be(Some("TLSv1"))
+      sslSettings.SSLEnabledAlgorithms must be(Set("TLS_RSA_WITH_AES_128_CBC_SHA"))
+      sslSettings.SSLRandomNumberGenerator must be(None)
     }
   }
 }

akka-remote/src/test/scala/akka/remote/RemotingSpec.scala

@@ -70,7 +70,7 @@ object RemotingSpec {
       remote.netty.udp.hostname = "localhost"
       remote.netty.ssl.port = 0
       remote.netty.ssl.hostname = "localhost"
-      remote.netty.ssl.ssl = ${common-ssl-settings}
+      remote.netty.ssl.security = ${common-ssl-settings}
 
       remote.test {
           transport-class = "akka.remote.transport.TestTransport"

akka-remote/src/test/scala/akka/remote/Ticket1978CommunicationSpec.scala

@@ -39,7 +39,7 @@ object Configuration {
       remote.netty.ssl {
         hostname = localhost
         port = %d
-        ssl {
+        security {
           enable = on
           trust-store = "%s"
           key-store = "%s"
@@ -61,7 +61,7 @@ object Configuration {
       //if (true) throw new IllegalArgumentException("Ticket1978*Spec isn't enabled")
 
       val config = ConfigFactory.parseString(conf.format(localPort, trustStore, keyStore, cipher, enabled.mkString(", ")))
-      val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.ssl")
+      val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.security")
       val settings = new SSLSettings(fullConfig)
 
       val rng = NettySSLSupport.initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, NoLogging)

akka-remote/src/test/scala/akka/remote/Ticket1978ConfigSpec.scala

@@ -8,22 +8,15 @@ import java.util.ArrayList
 import akka.remote.transport.netty.SSLSettings
 
 @org.junit.runner.RunWith(classOf[org.scalatest.junit.JUnitRunner])
-class Ticket1978ConfigSpec extends AkkaSpec with ImplicitSender with DefaultTimeout {
+class Ticket1978ConfigSpec extends AkkaSpec("""
-
+    akka.remote.netty.ssl.security {
-  val cfg = ConfigFactory.parseString("""
-    ssl-settings {
-      key-store = "keystore"
-      trust-store = "truststore"
-      key-store-password = "changeme"
-      trust-store-password = "changeme"
-      protocol = "TLSv1"
       random-number-generator = "AES128CounterSecureRNG"
-      enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
+    }
-    }""")
+    """) with ImplicitSender with DefaultTimeout {
 
   "SSL Remoting" must {
     "be able to parse these extra Netty config elements" in {
-      val settings = new SSLSettings(cfg.getConfig("ssl-settings"))
+      val settings = new SSLSettings(system.settings.config.getConfig("akka.remote.netty.ssl.security"))
 
       settings.SSLKeyStore must be(Some("keystore"))
       settings.SSLKeyStorePassword must be(Some("changeme"))