gianm commented on a change in pull request #6076: Mutual TLS support
URL: https://github.com/apache/incubator-druid/pull/6076#discussion_r216886161
##########
File path:
server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
##########
@@ -256,6 +259,32 @@ static Server makeAndInitializeServer(
sslContextFactory.setExcludeProtocols(
tlsServerConfig.getExcludeProtocols().toArray(new String[0]));
}
+
+
sslContextFactory.setNeedClientAuth(tlsServerConfig.isRequireClientCertificate());
+ if (tlsServerConfig.isRequireClientCertificate()) {
+ if (tlsServerConfig.getCrlPath() != null) {
+ sslContextFactory.setValidatePeerCerts(true);
Review comment:
This is a pretty crazy API on Jetty's part: it looks like that the only
thing `setValidatePeerCerts` does is turn on CRL checking. Is that right? If
so, the method is definitely not named intuitively. Could you add a comment
about this?
I'm asking because at first glance, it looks like a bug, even if it's not.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org
For additional commands, e-mail: commits-h...@druid.apache.org
