ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-06-16 22:28:15 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Supported TLS cipher suites (#2005)

Browse Source
This commit is contained in:
Konstantinos Chalkias
2017-11-07 10:05:51 +00:00
committed by GitHub
parent a4be26a296
commit 7944fcde5c
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
node-api/src/main/kotlin/net/corda/nodeapi/ArtemisTcpTransport.kt
View File

@ -6,7 +6,6 @@ import net.corda.nodeapi.config.SSLConfiguration
import org.apache.activemq.artemis.api.core.TransportConfiguration import org.apache.activemq.artemis.api.core.TransportConfiguration
import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactory import org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnectorFactory
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants
import org.bouncycastle.asn1.x500.X500Name
sealed class ConnectionDirection { sealed class ConnectionDirection {
data class Inbound(val acceptorFactoryClassName: String) : ConnectionDirection() data class Inbound(val acceptorFactoryClassName: String) : ConnectionDirection()
@ -20,17 +19,18 @@ class ArtemisTcpTransport {
companion object { companion object {
const val VERIFY_PEER_LEGAL_NAME = "corda.verifyPeerCommonName" const val VERIFY_PEER_LEGAL_NAME = "corda.verifyPeerCommonName"
// Restrict enabled Cipher Suites to AES and GCM as minimum for the bulk cipher. // Restrict enabled TLS cipher suites to:
// Our self-generated certificates all use ECDSA for handshakes, but we allow classical RSA certificates to work // AES128 using Galois/Counter Mode (GCM) for the block cipher being used to encrypt the message stream.
// in case we need to use keytool certificates in some demos // SHA256 as message authentication algorithm.
// ECDHE as key exchange algorithm. DHE is also supported if one wants to completely avoid the use of ECC for TLS.
// ECDSA and RSA for digital signatures. Our self-generated certificates all use ECDSA for handshakes,
// but we allow classical RSA certificates to work in case:
// a) we need to use keytool certificates in some demos,
// b) we use cloud providers or HSMs that do not support ECC.
private val CIPHER_SUITES = listOf( private val CIPHER_SUITES = listOf(
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
) )
fun tcpTransport( fun tcpTransport(
@ -40,14 +40,14 @@ class ArtemisTcpTransport {
enableSSL: Boolean = true enableSSL: Boolean = true
): TransportConfiguration { ): TransportConfiguration {
val options = mutableMapOf<String, Any?>( val options = mutableMapOf<String, Any?>(
// Basic TCP target details // Basic TCP target details.
TransportConstants.HOST_PROP_NAME to hostAndPort.host, TransportConstants.HOST_PROP_NAME to hostAndPort.host,
TransportConstants.PORT_PROP_NAME to hostAndPort.port, TransportConstants.PORT_PROP_NAME to hostAndPort.port,
// Turn on AMQP support, which needs the protocol jar on the classpath. // Turn on AMQP support, which needs the protocol jar on the classpath.
// Unfortunately we cannot disable core protocol as artemis only uses AMQP for interop // Unfortunately we cannot disable core protocol as artemis only uses AMQP for interop.
// It does not use AMQP messages for its own messages e.g. topology and heartbeats // It does not use AMQP messages for its own messages e.g. topology and heartbeats.
// TODO further investigate how to ensure we use a well defined wire level protocol for Node to Node communications // TODO further investigate how to ensure we use a well defined wire level protocol for Node to Node communications.
TransportConstants.PROTOCOLS_PROP_NAME to "CORE,AMQP" TransportConstants.PROTOCOLS_PROP_NAME to "CORE,AMQP"
) )
@ -56,11 +56,11 @@ class ArtemisTcpTransport {
config.trustStoreFile.requireOnDefaultFileSystem() config.trustStoreFile.requireOnDefaultFileSystem()
val tlsOptions = mapOf( val tlsOptions = mapOf(
// Enable TLS transport layer with client certs and restrict to at least SHA256 in handshake // Enable TLS transport layer with client certs and restrict to at least SHA256 in handshake
// and AES encryption // and AES encryption.
TransportConstants.SSL_ENABLED_PROP_NAME to true, TransportConstants.SSL_ENABLED_PROP_NAME to true,
TransportConstants.KEYSTORE_PROVIDER_PROP_NAME to "JKS", TransportConstants.KEYSTORE_PROVIDER_PROP_NAME to "JKS",
TransportConstants.KEYSTORE_PATH_PROP_NAME to config.sslKeystore, TransportConstants.KEYSTORE_PATH_PROP_NAME to config.sslKeystore,
TransportConstants.KEYSTORE_PASSWORD_PROP_NAME to config.keyStorePassword, // TODO proper management of keystores and password TransportConstants.KEYSTORE_PASSWORD_PROP_NAME to config.keyStorePassword, // TODO proper management of keystores and password.
TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME to "JKS", TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME to "JKS",
TransportConstants.TRUSTSTORE_PATH_PROP_NAME to config.trustStoreFile, TransportConstants.TRUSTSTORE_PATH_PROP_NAME to config.trustStoreFile,
TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME to config.trustStorePassword, TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME to config.trustStorePassword,