Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/950#discussion_r140397986 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java --- @@ -70,22 +78,80 @@ private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(UserServer.class); private static final String SERVER_NAME = "Apache Drill Server"; + private final BootStrapContext bootStrapContext; + private final BufferAllocator allocator; private final UserConnectionConfig config; + private final SSLConfig sslConfig; + private Channel sslChannel; private final UserWorker userWorker; public UserServer(BootStrapContext context, BufferAllocator allocator, EventLoopGroup eventLoopGroup, UserWorker worker) throws DrillbitStartupException { super(UserRpcConfig.getMapping(context.getConfig(), context.getExecutor()), allocator.getAsByteBufAllocator(), eventLoopGroup); + this.bootStrapContext = context; + this.allocator = allocator; this.config = new UserConnectionConfig(allocator, context, new UserServerRequestHandler(worker)); + this.sslChannel = null; + try { + this.sslConfig = new SSLConfigBuilder() + .config(bootStrapContext.getConfig()) + .mode(SSLFactory.Mode.SERVER) + .initializeSSLContext(true) + .validateKeyStore(true) + .build(); + } catch (DrillException e) { + throw new DrillbitStartupException(e.getMessage(), e.getCause()); + } this.userWorker = worker; // Initialize Singleton instance of UserRpcMetrics. ((UserRpcMetrics)UserRpcMetrics.getInstance()).initialize(config.isEncryptionEnabled(), allocator); } @Override + protected void setupSSL(ChannelPipeline pipe) { + if (sslConfig.isUserSslEnabled()) { + + SSLEngine sslEngine = sslConfig.createSSLEngine(allocator, null, 0); + sslEngine.setUseClientMode(false); + + // No need for client side authentication (HTTPS like behaviour) + sslEngine.setNeedClientAuth(false); + + // set Security property jdk.certpath.disabledAlgorithms to disable specific ssl algorithms + sslEngine.setEnabledProtocols(sslEngine.getEnabledProtocols()); + + // set Security property jdk.tls.disabledAlgorithms to disable specific cipher suites + sslEngine.setEnabledCipherSuites(sslEngine.getEnabledCipherSuites()); + sslEngine.setEnableSessionCreation(true); + --- End diff -- All these setup of sslEngine can be moved to `SSLConfigServer:createSSLEngine(..)` and same thing for client side setupSSL which can be moved to `SSLConfigClient::createSSLEngine(..)`
---