fix fabric8io#5125 allowing for TLS 1.3 only support

shawkins · May 15, 2023 · 249e777 · 249e777
1 parent 8cf4804
commit 249e777
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,8 @@
 ### 6.7-SNAPSHOT
 
 #### Bugs
-Fix #5121: RequestConfig is propagated to derived HttpClient instances
+* Fix #5121: RequestConfig is propagated to derived HttpClient instances
+* Fix #5125: TLS 1.3 only should be supported
 
 #### Improvements
 
@@ -12,6 +13,7 @@ Fix #5121: RequestConfig is propagated to derived HttpClient instances
 #### New Features
 
 #### _**Note**_: Breaking changes
+* Fix #5125: usage of TlsVersion.TLS_1_1, TLS_1_0, and SSL_3_0 have been deprecated
 
 ### 6.6.1 (2023-05-11)
 

diff --git a/...client-vertx/src/main/java/io/fabric8/kubernetes/client/vertx/VertxHttpClientBuilder.java b/...client-vertx/src/main/java/io/fabric8/kubernetes/client/vertx/VertxHttpClientBuilder.java
@@ -29,6 +29,8 @@
 import io.vertx.core.spi.tls.SslContextFactory;
 import io.vertx.ext.web.client.WebClientOptions;
 
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Stream;
 
@@ -77,8 +79,12 @@ public VertxHttpClient<F> build() {
       options.setProxyOptions(proxyOptions);
     }
 
+    final String[] protocols;
     if (tlsVersions != null && tlsVersions.length > 0) {
-      Stream.of(tlsVersions).map(TlsVersion::javaName).forEach(options::addEnabledSecureTransportProtocol);
+      protocols = Stream.of(tlsVersions).map(TlsVersion::javaName).toArray(String[]::new);
+      options.setEnabledSecureTransportProtocols(new HashSet<>(Arrays.asList(protocols)));
+    } else {
+      protocols = null;
     }
 
     if (this.preferHttp11) {
@@ -102,7 +108,7 @@ public SslContextFactory sslContextFactory() {
               IdentityCipherSuiteFilter.INSTANCE,
               ApplicationProtocolConfig.DISABLED,
               io.netty.handler.ssl.ClientAuth.NONE,
-              null,
+              protocols,
               false);
         }
       });

diff --git a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/Config.java b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/Config.java
@@ -218,7 +218,7 @@ public class Config {
   private String proxyPassword;
   private String[] noProxy;
   private String userAgent = "fabric8-kubernetes-client/" + Version.clientVersion();
-  private TlsVersion[] tlsVersions = new TlsVersion[] { TlsVersion.TLS_1_2 };
+  private TlsVersion[] tlsVersions = new TlsVersion[] { TlsVersion.TLS_1_3, TlsVersion.TLS_1_2 };
 
   private Map<Integer, String> errorMessages = new HashMap<>();
 

diff --git a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/http/TlsVersion.java b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/http/TlsVersion.java
@@ -18,15 +18,19 @@
 
 /**
  * TODO: determine if java names should be used here as well or instead
- * 
+ *
  * Replacement for okhttp3.TlsVersion
  */
 public enum TlsVersion {
 
+  // these need to be kept in preference order
   TLS_1_3("TLSv1.3"),
   TLS_1_2("TLSv1.2"),
+  @Deprecated
   TLS_1_1("TLSv1.1"),
+  @Deprecated
   TLS_1_0("TLSv1"),
+  @Deprecated
   SSL_3_0("SSLv3"),
   ;
 

diff --git a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/SSLUtils.java b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/SSLUtils.java
@@ -17,6 +17,7 @@
 
 import io.fabric8.kubernetes.client.Config;
 import io.fabric8.kubernetes.client.KubernetesClientException;
+import io.fabric8.kubernetes.client.http.TlsVersion;
 import io.fabric8.kubernetes.client.utils.Utils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -83,11 +84,30 @@ public static SSLContext sslContext(Config config) throws CertificateException,
   }
 
   public static SSLContext sslContext(KeyManager[] keyManagers, TrustManager[] trustManagers) {
+    SSLContext sslContext = null;
+    NoSuchAlgorithmException noSuch = null;
+    // v1.3 is not supported on all vms, and of course there may be later versions added.
+    // so try to find one starting with the latest
+    for (TlsVersion version : TlsVersion.values()) {
+      try {
+        sslContext = SSLContext.getInstance(version.javaName());
+        break;
+      } catch (NoSuchAlgorithmException e) {
+        if (noSuch == null) {
+          noSuch = e;
+        }
+        continue;
+      }
+    }
+
+    if (sslContext == null) {
+      throw KubernetesClientException.launderThrowable(noSuch);
+    }
+
     try {
-      SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
       sslContext.init(keyManagers, trustManagers, new SecureRandom());
       return sslContext;
-    } catch (KeyManagementException | NoSuchAlgorithmException e) {
+    } catch (KeyManagementException e) {
       throw KubernetesClientException.launderThrowable(e);
     }
   }

diff --git a/kubernetes-client-api/src/test/java/io/fabric8/kubernetes/client/ConfigTest.java b/kubernetes-client-api/src/test/java/io/fabric8/kubernetes/client/ConfigTest.java
@@ -600,7 +600,7 @@ void testEmptyConfig() {
     assertTrue(emptyConfig.getImpersonateExtras().isEmpty());
     assertEquals(0, emptyConfig.getImpersonateGroups().length);
     assertFalse(emptyConfig.isHttp2Disable());
-    assertEquals(1, emptyConfig.getTlsVersions().length);
+    assertEquals(2, emptyConfig.getTlsVersions().length);
     assertTrue(emptyConfig.getErrorMessages().isEmpty());
     assertNotNull(emptyConfig.getUserAgent());
   }