[ISSUE #9769] Add tls.ciphers and tls.protocols in system properties (#9770)

Author: carlvine500

docs/cn/Configuration_TLS.md

@@ -52,6 +52,10 @@ tls.server.certPath=/opt/certFiles/server.pem
 tls.server.authClient=false
 # The store path of trusted certificates for verifying the client endpoint's certificate
 tls.server.trustCertPath=/opt/certFiles/ca.pem
+# The ciphers in TLS
+# tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+# The protocols in TLS
+# tls.protocols=TLSv1.2,TLSv1.3
 ```
 
 如果需要客户端连接时也进行认证，则还需要在该文件中增加以下内容
@@ -66,6 +70,10 @@ tls.client.certPath=/opt/certFiles/client.pem
 tls.client.authServer=false                    
 # The store path of trusted certificates for verifying the server endpoint's certificate
 tls.client.trustCertPath=/opt/certFiles/ca.pem
+# The ciphers in TLS
+# tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+# The protocols in TLS
+# tls.protocols=TLSv1.2,TLSv1.3
 ```
 
 
@@ -96,6 +104,10 @@ tls.client.keyPassword=123456
 tls.client.certPath=/opt/certFiles/client.pem               
 # The store path of trusted certificates for verifying the server endpoint's certificate
 tls.client.trustCertPath=/opt/certFiles/ca.pem
+# The ciphers in TLS
+# tls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+# The protocols in TLS
+# tls.protocols=TLSv1.2,TLSv1.3
 ```
 
 JVM中需要加以下参数.tls.config.file的值需要使用之前创建的文件：

proxy/src/main/java/org/apache/rocketmq/proxy/remoting/MultiProtocolTlsHelper.java

@@ -94,6 +94,7 @@ public static SslContext buildSslContext() throws IOException, CertificateExcept
             ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
             ApplicationProtocolNames.HTTP_2));
 
+        moreTlsConfig(sslContextBuilder);
         return sslContextBuilder.build();
     }
 

remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java

@@ -29,28 +29,33 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.cert.CertificateException;
+import java.util.Arrays;
 import java.util.Properties;
 import org.apache.rocketmq.common.constant.LoggerName;
 import org.apache.rocketmq.logging.org.slf4j.Logger;
 import org.apache.rocketmq.logging.org.slf4j.LoggerFactory;
 
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CIPHERS;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_AUTHSERVER;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_CERTPATH;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_KEYPASSWORD;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_KEYPATH;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_CLIENT_TRUSTCERTPATH;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_PROTOCOLS;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_AUTHCLIENT;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_CERTPATH;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_KEYPASSWORD;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_KEYPATH;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_NEED_CLIENT_AUTH;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_SERVER_TRUSTCERTPATH;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.TLS_TEST_MODE_ENABLE;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsCiphers;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientAuthServer;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientCertPath;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientKeyPassword;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientKeyPath;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsClientTrustCertPath;
+import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsProtocols;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerAuthClient;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerCertPath;
 import static org.apache.rocketmq.remoting.netty.TlsSystemConfig.tlsServerKeyPassword;
@@ -102,15 +107,15 @@ public static SslContext buildSslContext(boolean forClient) throws IOException,
             LOGGER.info("Using JDK SSL provider");
         }
 
+        SslContextBuilder sslContextBuilder = null;
         if (forClient) {
             if (tlsTestModeEnable) {
-                return SslContextBuilder
+                sslContextBuilder = SslContextBuilder
                     .forClient()
                     .sslProvider(SslProvider.JDK)
-                    .trustManager(InsecureTrustManagerFactory.INSTANCE)
-                    .build();
+                    .trustManager(InsecureTrustManagerFactory.INSTANCE);
             } else {
-                SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(SslProvider.JDK);
+                sslContextBuilder = SslContextBuilder.forClient().sslProvider(SslProvider.JDK);
 
 
                 if (!tlsClientAuthServer) {
@@ -121,23 +126,21 @@ public static SslContext buildSslContext(boolean forClient) throws IOException,
                     }
                 }
 
-                return sslContextBuilder.keyManager(
+                sslContextBuilder = sslContextBuilder.keyManager(
                     !isNullOrEmpty(tlsClientCertPath) ? new FileInputStream(tlsClientCertPath) : null,
                     !isNullOrEmpty(tlsClientKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsClientKeyPath, true) : null,
-                    !isNullOrEmpty(tlsClientKeyPassword) ? tlsClientKeyPassword : null)
-                    .build();
+                    !isNullOrEmpty(tlsClientKeyPassword) ? tlsClientKeyPassword : null);
             }
         } else {
 
             if (tlsTestModeEnable) {
                 SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
-                return SslContextBuilder
+                sslContextBuilder = SslContextBuilder
                     .forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey())
                     .sslProvider(provider)
-                    .clientAuth(ClientAuth.OPTIONAL)
-                    .build();
+                    .clientAuth(ClientAuth.OPTIONAL);
             } else {
-                SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(
+                sslContextBuilder = SslContextBuilder.forServer(
                     !isNullOrEmpty(tlsServerCertPath) ? new FileInputStream(tlsServerCertPath) : null,
                     !isNullOrEmpty(tlsServerKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsServerKeyPath, false) : null,
                     !isNullOrEmpty(tlsServerKeyPassword) ? tlsServerKeyPassword : null)
@@ -152,11 +155,20 @@ public static SslContext buildSslContext(boolean forClient) throws IOException,
                 }
 
                 sslContextBuilder.clientAuth(parseClientAuthMode(tlsServerNeedClientAuth));
-                return sslContextBuilder.build();
             }
         }
+        moreTlsConfig(sslContextBuilder);
+        return sslContextBuilder.build();
     }
 
+    protected static void moreTlsConfig(SslContextBuilder sslContextBuilder) {
+        if (tlsCiphers != null) {
+            sslContextBuilder.ciphers(Arrays.asList(tlsCiphers.split(",")));
+        }
+        if (tlsProtocols != null) {
+            sslContextBuilder.protocols(tlsProtocols.split(","));
+        }
+    }
     private static void extractTlsConfigFromFile(final File configFile) {
         if (!(configFile.exists() && configFile.isFile() && configFile.canRead())) {
             LOGGER.info("Tls config file doesn't exist, skip it");
@@ -192,6 +204,9 @@ private static void extractTlsConfigFromFile(final File configFile) {
         tlsClientCertPath = properties.getProperty(TLS_CLIENT_CERTPATH, tlsClientCertPath);
         tlsClientAuthServer = Boolean.parseBoolean(properties.getProperty(TLS_CLIENT_AUTHSERVER, String.valueOf(tlsClientAuthServer)));
         tlsClientTrustCertPath = properties.getProperty(TLS_CLIENT_TRUSTCERTPATH, tlsClientTrustCertPath);
+
+        tlsCiphers = properties.getProperty(TLS_CIPHERS, tlsCiphers);
+        tlsProtocols = properties.getProperty(TLS_PROTOCOLS, tlsProtocols);
     }
 
     private static void logTheFinalUsedTlsConfig() {
@@ -207,6 +222,9 @@ private static void logTheFinalUsedTlsConfig() {
         LOGGER.debug("{} = {}", TLS_CLIENT_CERTPATH, tlsClientCertPath);
         LOGGER.debug("{} = {}", TLS_CLIENT_AUTHSERVER, tlsClientAuthServer);
         LOGGER.debug("{} = {}", TLS_CLIENT_TRUSTCERTPATH, tlsClientTrustCertPath);
+
+        LOGGER.debug("{} = {}", TLS_CIPHERS, tlsCiphers);
+        LOGGER.debug("{} = {}", TLS_PROTOCOLS, tlsProtocols);
     }
 
     private static ClientAuth parseClientAuthMode(String authMode) {

remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java

@@ -39,6 +39,9 @@ public class TlsSystemConfig {
     public static final String TLS_CLIENT_AUTHSERVER = "tls.client.authServer";
     public static final String TLS_CLIENT_TRUSTCERTPATH = "tls.client.trustCertPath";
 
+    public static final String TLS_CIPHERS = "tls.ciphers";
+    public static final String TLS_PROTOCOLS = "tls.protocols";
+
 
     /**
      * To determine whether use SSL in client-side, include SDK client and BrokerOuterAPI
@@ -122,4 +125,22 @@ public class TlsSystemConfig {
      * except {@link TlsSystemConfig#tlsMode} and {@link TlsSystemConfig#tlsEnable}
      */
     public static String tlsConfigFile = System.getProperty(TLS_CONFIG_FILE, "/etc/rocketmq/tls.properties");
+
+    /**
+     * The ciphers to be used in TLS
+     * <ol>
+     *     <li>If null, use the default ciphers</li>
+     *     <li>Otherwise, use the ciphers specified in this string, eg: -Dtls.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li>
+     * </ol>
+     */
+    public static String tlsCiphers = System.getProperty(TLS_CIPHERS, null);
+
+    /**
+     * The protocols to be used in TLS
+     * <ol>
+     *     <li>If null, use the default protocols</li>
+     *     <li>Otherwise, use the protocols specified in this string, eg: -Dtls.protocols=TLSv1.2,TLSv1.3</li>
+     * </ol>
+     */
+    public static String tlsProtocols = System.getProperty(TLS_PROTOCOLS, null);
 }