(hadoop) branch branch-3.4 updated: HADOOP-19876. SSL protocol config is not applied to Jetty when set to default value (#8465)

Tue, 05 May 2026 13:20:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

jojochuang pushed a commit to branch branch-3.4
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/branch-3.4 by this push:
     new 261701306d3 HADOOP-19876. SSL protocol config is not applied to Jetty 
when set to default value (#8465)
261701306d3 is described below

commit 261701306d3add8db4fbe77f9a9512af2c697ae8
Author: Zita Dombi <[email protected]>
AuthorDate: Tue May 5 19:58:50 2026 +0200

    HADOOP-19876. SSL protocol config is not applied to Jetty when set to 
default value (#8465)
    
    (cherry picked from commit 5e1537769a9db2dc59e77e3980db978171df0588)
    (cherry picked from commit c9705d136cb8e2532f3859331e3da831360dcb2d)
    
     Conflicts:
            
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java
---
 .../java/org/apache/hadoop/http/HttpServer2.java   | 48 ++++++++++----------
 .../org/apache/hadoop/http/TestSSLHttpServer.java  |  6 ++-
 .../hadoop/http/TestSSLHttpServerConfigs.java      | 51 ++++++++++++++++++++++
 3 files changed, 78 insertions(+), 27 deletions(-)

diff --git 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index 5d6c36ae305..72221603400 100644
--- 
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ 
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -679,34 +679,32 @@ private Timer makeConfigurationChangeMonitor(long 
reloadInterval,
     private void setEnabledProtocols(SslContextFactory sslContextFactory) {
       String enabledProtocols = conf.get(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY,
           SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT);
-      if (!enabledProtocols.equals(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)) {
-        // Jetty 9.2.4.v20141103 and above excludes certain protocols by
-        // default. Remove the user enabled protocols from the exclude list,
-        // and add them into the include list.
-        String[] jettyExcludedProtocols =
-            sslContextFactory.getExcludeProtocols();
-        String[] enabledProtocolsArray =
-            StringUtils.getTrimmedStrings(enabledProtocols);
-        List<String> enabledProtocolsList =
-            Arrays.asList(enabledProtocolsArray);
-
-        List<String> resetExcludedProtocols = new ArrayList<>();
-        for (String jettyExcludedProtocol: jettyExcludedProtocols) {
-          if (!enabledProtocolsList.contains(jettyExcludedProtocol)) {
-            resetExcludedProtocols.add(jettyExcludedProtocol);
-          } else {
-            LOG.debug("Removed {} from exclude protocol list",
-                jettyExcludedProtocol);
-          }
+      // Jetty 9.2.4.v20141103 and above excludes certain protocols by
+      // default. Remove the user enabled protocols from the exclude list,
+      // and add them into the include list.
+      String[] jettyExcludedProtocols =
+          sslContextFactory.getExcludeProtocols();
+      String[] enabledProtocolsArray =
+          StringUtils.getTrimmedStrings(enabledProtocols);
+      List<String> enabledProtocolsList =
+          Arrays.asList(enabledProtocolsArray);
+
+      List<String> resetExcludedProtocols = new ArrayList<>();
+      for (String jettyExcludedProtocol: jettyExcludedProtocols) {
+        if (!enabledProtocolsList.contains(jettyExcludedProtocol)) {
+          resetExcludedProtocols.add(jettyExcludedProtocol);
+        } else {
+          LOG.debug("Removed {} from exclude protocol list",
+              jettyExcludedProtocol);
         }
+      }
 
-        sslContextFactory.setExcludeProtocols(
-            resetExcludedProtocols.toArray(new String[0]));
-        LOG.info("Reset exclude protocol list: {}", resetExcludedProtocols);
+      sslContextFactory.setExcludeProtocols(
+          resetExcludedProtocols.toArray(new String[0]));
+      LOG.info("Reset exclude protocol list: {}", resetExcludedProtocols);
 
-        sslContextFactory.setIncludeProtocols(enabledProtocolsArray);
-        LOG.info("Enabled protocols: {}", enabledProtocols);
-      }
+      sslContextFactory.setIncludeProtocols(enabledProtocolsArray);
+      LOG.info("Enabled protocols: {}", enabledProtocols);
     }
   }
 
diff --git 
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java
 
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java
index 5ffed17b38c..72b573b63e5 100644
--- 
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java
+++ 
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java
@@ -136,8 +136,10 @@ public static void setup() throws Exception {
 
   private static void setupServer(Configuration conf, Configuration sslConf)
       throws IOException, URISyntaxException {
-    conf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, INCLUDED_PROTOCOLS);
-    sslConf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, INCLUDED_PROTOCOLS);
+    String protocols = Shell.isJavaVersionAtLeast(11)
+        ? INCLUDED_PROTOCOLS_JDK11 : INCLUDED_PROTOCOLS;
+    conf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, protocols);
+    sslConf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, protocols);
     server = new HttpServer2.Builder().setName("test")
         .addEndpoint(new URI("https://localhost";)).setConf(conf)
         .keyPassword(
diff --git 
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java
 
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java
index f5c4c59d861..42f64eaea74 100644
--- 
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java
+++ 
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java
@@ -22,6 +22,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.URI;
+import java.util.Arrays;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileUtil;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
@@ -31,6 +32,9 @@
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 import static org.apache.hadoop.http.TestSSLHttpServer.EXCLUDED_CIPHERS;
 import static org.apache.hadoop.http.TestSSLHttpServer.INCLUDED_PROTOCOLS;
@@ -116,6 +120,29 @@ private HttpServer2 setupServer(String keyStoreKeyPassword,
     return server;
   }
 
+  private void assertServerAppliesEnabledProtocol(String protocol)
+      throws Exception {
+    HttpServer2 server = setupServer(SERVER_PWD, SERVER_PWD, TRUST_STORE_PWD);
+    try {
+      ServerConnector listener = server.getListeners().get(0);
+      SslConnectionFactory connectionFactory =
+          listener.getConnectionFactory(SslConnectionFactory.class);
+      Assert.assertNotNull("Expected HTTPS listener with an SSL connection 
factory",
+          connectionFactory);
+
+      SslContextFactory sslContextFactory =
+          connectionFactory.getSslContextFactory();
+
+      Assert.assertArrayEquals(new String[] {protocol},
+          sslContextFactory.getIncludeProtocols());
+
+      Assert.assertFalse("Configured enabled protocol should be removed from 
excluded protocols",
+          
Arrays.asList(sslContextFactory.getExcludeProtocols()).contains(protocol));
+    } finally {
+      server.stop();
+    }
+  }
+
   /**
    * Test if HttpServer2 start succeeds in validating KeyStore/ TrustStore
    * using the given passowords.
@@ -265,4 +292,28 @@ public void testKeyStoreSetupWithoutPassword() throws 
Exception {
           e.getCause());
     }
   }
+
+  @Test(timeout=120000)
+  public void testDefaultEnabledProtocolIsAppliedWhenConfigUnset()
+      throws Exception {
+    setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD);
+    conf.unset(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY);
+    
assertServerAppliesEnabledProtocol(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT);
+  }
+
+  @Test(timeout=120000)
+  public void testDefaultEnabledProtocolIsAppliedWhenConfigExplicitlySet()
+      throws Exception {
+    setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD);
+    conf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY,
+        SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT);
+    
assertServerAppliesEnabledProtocol(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT);
+  }
+
+  @Test(timeout=120000)
+  public void testNonDefaultEnabledProtocolIsApplied() throws Exception {
+    setupKeyStores(SERVER_PWD, CLIENT_PWD, TRUST_STORE_PWD);
+    conf.set(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, "TLSv1.3");
+    assertServerAppliesEnabledProtocol("TLSv1.3");
+  }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to