You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/03/04 18:58:00 UTC

[jira] [Commented] (DRILL-7625) Add options for SslContextFactory

    [ https://issues.apache.org/jira/browse/DRILL-7625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17051530#comment-17051530 ] 

ASF GitHub Bot commented on DRILL-7625:
---------------------------------------

ihuzenko commented on pull request #2012: DRILL-7625: Add options for SslContextFactory
URL: https://github.com/apache/drill/pull/2012
 
 
   # [DRILL-7625](https://issues.apache.org/jira/browse/DRILL-7625): Add options for SslContextFactory
   
   ## Description
   
   Added ability to set more options on Jetty's SslContextFactory object and fixed application of drill.exec.ssl.protocol setting for Web UI client. 
   
   ## Documentation
   
   Users now can provide more granular configuration for Jetty https connector. All additional options are listed in drill-override-example.conf in this pull request.
   
   ## Testing
   
   Added unit test. 
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Add options for SslContextFactory
> ---------------------------------
>
>                 Key: DRILL-7625
>                 URL: https://issues.apache.org/jira/browse/DRILL-7625
>             Project: Apache Drill
>          Issue Type: Sub-task
>    Affects Versions: 1.18.0
>            Reporter: Igor Guzenko
>            Assignee: Igor Guzenko
>            Priority: Major
>
> Purpose of the ticket is to add the following options for Jetty's SSL context factory under
> common options path *drill.exec.http.jetty.server.sslContextFactory*
>  
> {code:none}
>     jetty: {
>       server: {
>         # Optional params to set on Jetty's org.eclipse.jetty.util.ssl.SslContextFactory 
>         # when drill.exec.http.ssl_enabled
>         sslContextFactory: {
>           # allows to specify cert to use when multiple non-SNI certificates are available.
>           certAlias: "certAlias",
>           
>           # path to file that contains Certificate Revocation List
>           crlPath: "/etc/file.crl",
>  
>           # enable Certificate Revocation List Distribution Points Support
>           enableCRLDP: false,
>           # enable On-Line Certificate Status Protocol support
>           enableOCSP: false,
>           # when set to "HTTPS" hostname verification will be enabled
>           endpointIdentificationAlgorithm: "HTTPS",
>           # accepts exact cipher suite names and/or regular expressions.
>           excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
>           # list of TLS/SSL protocols to exclude
>           excludeProtocols: ["TLSv1.1"],
>           # accepts exact cipher suite names and/or regular expressions.
>           includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
>           # list of TLS/SSL protocols to include
>           includeProtocols: ["TLSv1.2", "TLSv1.3"],
>           # the algorithm name (default "SunX509") used by 
>           # the javax.net.ssl.KeyManagerFactory
>           keyManagerFactoryAlgorithm: "SunX509",
>           # classname of custom java.security.Provider implementation
>           keyStoreProvider: "fully.qualified.class.Name",
>           # type of key store (default "JKS")
>           keyStoreType: "JKS",
>           # max number of intermediate certificates in sertificate chain
>           maxCertPathLength: -1,
>           # set true if ssl needs client authentication
>           needClientAuth: false,
>           # location of the OCSP Responder
>           ocspResponderURL: "",
>           # javax.net.ssl.SSLContext provider class name
>           provider: "fully.qualified.class.Name",
>           # whether TLS renegotiation is allowed
>           renegotiationAllowed: false,
>           # number of renegotions allowed for this connection (-1 for unlimited, default 5) .
>           renegotiationLimit: 5,
>           # algorithm name for java.security.SecurityRandom instances.
>            secureRandomAlgorithm: "NativePRNG",
>    
>           # set the flag to enable SSL Session caching
>           sessionCachingEnabled: false,
>    
>           # set if you want to bound session cache size
>           sslSessionCacheSize: -1,
>    
>          # session timeout in seconds.
>           sslSessionTimeout: -1,
>   
>         # the algorithm name (default "SunX509") used 
>         # by the javax.net.ssl.TrustManagerFactory
>           trustManagerFactoryAlgorithm: "SunX509",
>           # provider of the trust store
>           trustStoreProvider: "fully.qualified.class.Name",
>           # type of the trust store (default "JKS")
>           trustStoreType: "JKS",
>           # sets whether the local cipher suites preference should be honored.
>           useCipherSuiteOrder: false,
>           # true if SSL certificates have to be validated
>           validateCerts: false,
>           # true if SSL certificates of the peer have to be validated
>           validatePeerCerts: false,
>           # true if SSL wants client authentication.
>           wantClientAuth: false
>         }
>       }
>     }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)