You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by GitBox <gi...@apache.org> on 2020/03/06 10:10:39 UTC

[GitHub] [drill] ihuzenko commented on a change in pull request #2012: DRILL-7625: Add options for SslContextFactory

ihuzenko commented on a change in pull request #2012: DRILL-7625: Add options for SslContextFactory
URL: https://github.com/apache/drill/pull/2012#discussion_r388817420
 
 

 ##########
 File path: distribution/src/main/resources/drill-override-example.conf
 ##########
 @@ -113,6 +113,72 @@ drill.exec: {
         # Location to keytab file for above spnego principal
         spnego.keytab: "<keytab_file_location>";
     },
+    jetty: {
+      server: {
+        # Optional params to set on Jetty's org.eclipse.jetty.util.ssl.SslContextFactory when drill.exec.http.ssl_enabled
+        sslContextFactory: {
+          # allows to specify cert to use when multiple non-SNI certificates are available.
+          certAlias: "certAlias",
+          # path to file that contains Certificate Revocation List
+          crlPath: "/etc/file.crl",
+          # enable Certificate Revocation List Distribution Points Support
+          enableCRLDP: false,
+          # enable On-Line Certificate Status Protocol support
+          enableOCSP: false,
+          # when set to "HTTPS" hostname verification will be enabled
+          endpointIdentificationAlgorithm: "HTTPS",
+          # accepts exact cipher suite names and/or regular expressions.
+          excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
+          # list of TLS/SSL protocols to exclude
+          excludeProtocols: ["TLSv1.1"],
+          # accepts exact cipher suite names and/or regular expressions.
+          includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
+          # list of TLS/SSL protocols to include
+          includeProtocols: ["TLSv1.2", "TLSv1.3"],
+          # the algorithm name (default "SunX509") used by the javax.net.ssl.KeyManagerFactory
+          keyManagerFactoryAlgorithm: "SunX509",
+          # classname of custom java.security.Provider implementation
+          keyStoreProvider: "fully.qualified.class.Name",
+          # type of key store (default "JKS")
+          keyStoreType: "JKS",
+          # max number of intermediate certificates in sertificate chain
+          maxCertPathLength: -1,
+          # set true if ssl needs client authentication
+          needClientAuth: false,
+          # location of the OCSP Responder
+          ocspResponderURL: "",
+          # javax.net.ssl.SSLContext provider class name
+          provider: "fully.qualified.class.Name",
 
 Review comment:
   I don't know which option to set here, it seems that the option allows using a custom implementation of ```java.security.Provider``` for SSLContext. As mentioned in the comment above ```sslContextFactory:``` all the options are optional and those who will configure them are expected to know what they're doing. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services