Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-28122

TLSv1.3-compatible cipher suites are not used by default

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.5.5, 3.0.0
    • 2.6.0, 3.0.0-beta-1
    • None
    • None
    • Reviewed

    Description

      The X509Util class has a system for choosing the cipher suites to support on TLS connections, if hbase.rpc.tls.ciphersuites is not provided. It also allows you choose what protocol you want via the hbase.rpc.tls.enabledProtocols config. If hbase.rpc.tls.enabledProtocols is set to TLSv1.3, and hbase.rpc.tls.ciphersuites is not set, the user of X509Util cannot form any working TLS connections.

      This is because all the cipher suites chosen by X509Utils are pre-TLSv1.3 suites, and so are rejected during connection handshakes. TLSv1.3 requires or suggests support for these suites, none of which are shared in common with TLSv1.2:

      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
      • TLS_AES_128_GCM_SHA256

      Of these, the intersection of BoringSSL and Java 11+ support TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384, so those should be added to the defaults in X509Util. BoringSSL and the JVM are the two crypto providers used here.
       

      Attachments

        Issue Links

          Activity

            People

              charlesconnell Charles Connell
              charlesconnell Charles Connell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: