use of org.graylog2.configuration.TLSProtocolsConfiguration in project graylog2-server by Graylog2.
the class UnboundLDAPConnectorTest method setUp.
@Before
public void setUp() throws Exception {
final LdapServer server = getLdapServer();
final LDAPConnectorConfig.LDAPServer unreachableServer = LDAPConnectorConfig.LDAPServer.create("localhost", 9);
final LDAPConnectorConfig.LDAPServer ldapServer = LDAPConnectorConfig.LDAPServer.create("localhost", server.getPort());
final LDAPConnectorConfig connectorConfig = LDAPConnectorConfig.builder().systemUsername(ADMIN_DN).systemPassword(encryptedValueService.encrypt(ADMIN_PASSWORD)).transportSecurity(LDAPTransportSecurity.NONE).verifyCertificates(false).serverList(ImmutableList.of(unreachableServer, ldapServer)).build();
connector = new UnboundLDAPConnector(10000, new TLSProtocolsConfiguration(), mock(TrustManagerProvider.class), encryptedValueService);
connection = connector.connect(connectorConfig);
}
use of org.graylog2.configuration.TLSProtocolsConfiguration in project graylog2-server by Graylog2.
the class CmdLineTool method applySecuritySettings.
protected static void applySecuritySettings(TLSProtocolsConfiguration configuration) {
// Disable insecure TLS parameters and ciphers by default.
// Prevent attacks like LOGJAM, LUCKY13, et al.
setSystemPropertyIfEmpty("jdk.tls.ephemeralDHKeySize", "2048");
setSystemPropertyIfEmpty("jdk.tls.rejectClientInitiatedRenegotiation", "true");
final Set<String> tlsProtocols = configuration.getConfiguredTlsProtocols();
final List<String> disabledAlgorithms = Stream.of(Security.getProperty("jdk.tls.disabledAlgorithms").split(",")).map(String::trim).collect(Collectors.toList());
// c.f. https://github.com/Graylog2/graylog2-server/issues/10944
if (tlsProtocols == null || !(tlsProtocols.isEmpty() || tlsProtocols.contains("TLSv1") || tlsProtocols.contains("TLSv1.1"))) {
disabledAlgorithms.addAll(ImmutableSet.of("CBC", "3DES"));
Security.setProperty("jdk.tls.disabledAlgorithms", Strings.join(disabledAlgorithms, ", "));
} else {
// Remove explicitly enabled legacy TLS protocols from the disabledAlgorithms filter
Set<String> reEnabledTLSProtocols;
if (tlsProtocols.isEmpty()) {
reEnabledTLSProtocols = ImmutableSet.of("TLSv1", "TLSv1.1");
} else {
reEnabledTLSProtocols = tlsProtocols;
}
final List<String> updatedProperties = disabledAlgorithms.stream().filter(p -> !reEnabledTLSProtocols.contains(p)).collect(Collectors.toList());
Security.setProperty("jdk.tls.disabledAlgorithms", Strings.join(updatedProperties, ", "));
}
// Explicitly register Bouncy Castle as security provider.
// This allows us to use more key formats than with JCE
Security.addProvider(new BouncyCastleProvider());
}
use of org.graylog2.configuration.TLSProtocolsConfiguration in project graylog2-server by Graylog2.
the class CmdLineTool method parseAndGetTLSConfiguration.
// Parse only the TLSConfiguration bean
// to avoid triggering anything that might initialize the default SSLContext
private TLSProtocolsConfiguration parseAndGetTLSConfiguration() {
final JadConfig jadConfig = new JadConfig();
jadConfig.setRepositories(getConfigRepositories(configFile));
final TLSProtocolsConfiguration tlsConfiguration = new TLSProtocolsConfiguration();
jadConfig.addConfigurationBean(tlsConfiguration);
processConfiguration(jadConfig);
return tlsConfiguration;
}
Aggregations