We can't set the SHA1PRNG random source reliably from within Akka. See #2977
This commit is contained in:
Björn Antonsson
parent
a31d98340f
commit
a54659e5b4
4 changed files with 4 additions and 21 deletions
|
|
@ -29,8 +29,6 @@ private[akka] class SSLSettings(config: Config) {
|
||||||
|
|
||||||
val SSLProtocol = Option(getString("protocol")).filter(_.length > 0)
|
val SSLProtocol = Option(getString("protocol")).filter(_.length > 0)
|
||||||
|
|
||||||
val SSLRandomSource = Option(getString("sha1prng-random-source")).filter(_.length > 0)
|
|
||||||
|
|
||||||
val SSLRandomNumberGenerator = Option(getString("random-number-generator")).filter(_.length > 0)
|
val SSLRandomNumberGenerator = Option(getString("random-number-generator")).filter(_.length > 0)
|
||||||
|
|
||||||
// FIXME: Change messages to reflect new configuration
|
// FIXME: Change messages to reflect new configuration
|
||||||
|
|
@ -58,17 +56,7 @@ private[akka] object NettySSLSupport {
|
||||||
def apply(settings: SSLSettings, log: LoggingAdapter, isClient: Boolean): SslHandler =
|
def apply(settings: SSLSettings, log: LoggingAdapter, isClient: Boolean): SslHandler =
|
||||||
if (isClient) initializeClientSSL(settings, log) else initializeServerSSL(settings, log)
|
if (isClient) initializeClientSSL(settings, log) else initializeServerSSL(settings, log)
|
||||||
|
|
||||||
def initializeCustomSecureRandom(rngName: Option[String], sourceOfRandomness: Option[String], log: LoggingAdapter): SecureRandom = {
|
def initializeCustomSecureRandom(rngName: Option[String], log: LoggingAdapter): SecureRandom = {
|
||||||
/**
|
|
||||||
* According to this bug report: http://bugs.sun.com/view_bug.do?bug_id=6202721
|
|
||||||
* Using /dev/./urandom is only necessary when using SHA1PRNG on Linux
|
|
||||||
* <quote>Use 'new SecureRandom()' instead of 'SecureRandom.getInstance("SHA1PRNG")'</quote> to avoid having problems
|
|
||||||
*/
|
|
||||||
sourceOfRandomness foreach { path ⇒
|
|
||||||
System.setProperty("java.security.egd", path)
|
|
||||||
System.setProperty("securerandom.source", path)
|
|
||||||
}
|
|
||||||
|
|
||||||
val rng = rngName match {
|
val rng = rngName match {
|
||||||
case Some(r @ ("AES128CounterSecureRNG" | "AES256CounterSecureRNG" | "AES128CounterInetRNG" | "AES256CounterInetRNG")) ⇒
|
case Some(r @ ("AES128CounterSecureRNG" | "AES256CounterSecureRNG" | "AES128CounterInetRNG" | "AES256CounterInetRNG")) ⇒
|
||||||
log.debug("SSL random number generator set to: {}", r)
|
log.debug("SSL random number generator set to: {}", r)
|
||||||
|
|
@ -94,7 +82,7 @@ private[akka] object NettySSLSupport {
|
||||||
|
|
||||||
def constructClientContext(settings: SSLSettings, log: LoggingAdapter, trustStorePath: String, trustStorePassword: String, protocol: String): Option[SSLContext] =
|
def constructClientContext(settings: SSLSettings, log: LoggingAdapter, trustStorePath: String, trustStorePassword: String, protocol: String): Option[SSLContext] =
|
||||||
try {
|
try {
|
||||||
val rng = initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, settings.SSLRandomSource, log)
|
val rng = initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, log)
|
||||||
val trustManagers: Array[TrustManager] = {
|
val trustManagers: Array[TrustManager] = {
|
||||||
val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
|
val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
|
||||||
trustManagerFactory.init({
|
trustManagerFactory.init({
|
||||||
|
|
@ -143,7 +131,7 @@ private[akka] object NettySSLSupport {
|
||||||
|
|
||||||
def constructServerContext(settings: SSLSettings, log: LoggingAdapter, keyStorePath: String, keyStorePassword: String, protocol: String): Option[SSLContext] =
|
def constructServerContext(settings: SSLSettings, log: LoggingAdapter, keyStorePath: String, keyStorePassword: String, protocol: String): Option[SSLContext] =
|
||||||
try {
|
try {
|
||||||
val rng = initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, settings.SSLRandomSource, log)
|
val rng = initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, log)
|
||||||
val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
|
val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
|
||||||
factory.init({
|
factory.init({
|
||||||
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
|
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,6 @@ object RemotingSpec {
|
||||||
protocol = "TLSv1"
|
protocol = "TLSv1"
|
||||||
random-number-generator = "AES128CounterSecureRNG"
|
random-number-generator = "AES128CounterSecureRNG"
|
||||||
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
||||||
sha1prng-random-source = "/dev/./urandom"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
akka {
|
akka {
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,6 @@ object Configuration {
|
||||||
protocol = "TLSv1"
|
protocol = "TLSv1"
|
||||||
random-number-generator = "%s"
|
random-number-generator = "%s"
|
||||||
enabled-algorithms = [%s]
|
enabled-algorithms = [%s]
|
||||||
sha1prng-random-source = "/dev/./urandom"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -65,8 +64,7 @@ object Configuration {
|
||||||
val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.ssl")
|
val fullConfig = config.withFallback(AkkaSpec.testConf).withFallback(ConfigFactory.load).getConfig("akka.remote.netty.ssl.ssl")
|
||||||
val settings = new SSLSettings(fullConfig)
|
val settings = new SSLSettings(fullConfig)
|
||||||
|
|
||||||
val rng = NettySSLSupport.initializeCustomSecureRandom(settings.SSLRandomNumberGenerator,
|
val rng = NettySSLSupport.initializeCustomSecureRandom(settings.SSLRandomNumberGenerator, NoLogging)
|
||||||
settings.SSLRandomSource, NoLogging)
|
|
||||||
|
|
||||||
rng.nextInt() // Has to work
|
rng.nextInt() // Has to work
|
||||||
settings.SSLRandomNumberGenerator foreach {
|
settings.SSLRandomNumberGenerator foreach {
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,6 @@ class Ticket1978ConfigSpec extends AkkaSpec with ImplicitSender with DefaultTime
|
||||||
protocol = "TLSv1"
|
protocol = "TLSv1"
|
||||||
random-number-generator = "AES128CounterSecureRNG"
|
random-number-generator = "AES128CounterSecureRNG"
|
||||||
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
enabled-algorithms = [TLS_RSA_WITH_AES_128_CBC_SHA]
|
||||||
sha1prng-random-source = "/dev/./urandom"
|
|
||||||
}""")
|
}""")
|
||||||
|
|
||||||
"SSL Remoting" must {
|
"SSL Remoting" must {
|
||||||
|
|
@ -32,7 +31,6 @@ class Ticket1978ConfigSpec extends AkkaSpec with ImplicitSender with DefaultTime
|
||||||
settings.SSLTrustStorePassword must be(Some("changeme"))
|
settings.SSLTrustStorePassword must be(Some("changeme"))
|
||||||
settings.SSLProtocol must be(Some("TLSv1"))
|
settings.SSLProtocol must be(Some("TLSv1"))
|
||||||
settings.SSLEnabledAlgorithms must be(Set("TLS_RSA_WITH_AES_128_CBC_SHA"))
|
settings.SSLEnabledAlgorithms must be(Set("TLS_RSA_WITH_AES_128_CBC_SHA"))
|
||||||
settings.SSLRandomSource must be(Some("/dev/./urandom"))
|
|
||||||
settings.SSLRandomNumberGenerator must be(Some("AES128CounterSecureRNG"))
|
settings.SSLRandomNumberGenerator must be(Some("AES128CounterSecureRNG"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue