Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/950#discussion_r140394583 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserClient.java --- @@ -102,19 +115,78 @@ // these are used for authentication private volatile List<String> serverAuthMechanisms = null; private volatile boolean authComplete = true; + private SSLConfig sslConfig; + private Channel sslChannel; + private DrillbitEndpoint endpoint; public UserClient(String clientName, DrillConfig config, boolean supportComplexTypes, - BufferAllocator allocator, EventLoopGroup eventLoopGroup, Executor eventExecutor) { - super( - UserRpcConfig.getMapping(config, eventExecutor), - allocator.getAsByteBufAllocator(), - eventLoopGroup, - RpcType.HANDSHAKE, - BitToUserHandshake.class, - BitToUserHandshake.PARSER); + BufferAllocator allocator, EventLoopGroup eventLoopGroup, Executor eventExecutor, + DrillbitEndpoint endpoint) throws NonTransientRpcException { + super(UserRpcConfig.getMapping(config, eventExecutor), allocator.getAsByteBufAllocator(), + eventLoopGroup, RpcType.HANDSHAKE, BitToUserHandshake.class, BitToUserHandshake.PARSER); + this.endpoint = endpoint; // save the endpoint; it might be needed by SSL init. this.clientName = clientName; this.allocator = allocator; this.supportComplexTypes = supportComplexTypes; + this.sslChannel = null; + try { + this.sslConfig = new SSLConfigBuilder().config(config).mode(SSLFactory.Mode.CLIENT) + .initializeSSLContext(true).validateKeyStore(false).build(); + } catch (DrillException e) { + throw new NonTransientRpcException(e.getMessage()); + } + + } + + @Override protected void setupSSL(ChannelPipeline pipe, + ConnectionMultiListener.SSLHandshakeListener sslHandshakeListener) { + if (sslConfig.isUserSslEnabled()) { + + String peerHost = endpoint.getAddress(); + int peerPort = endpoint.getUserPort(); + SSLEngine sslEngine = sslConfig.createSSLEngine(allocator, peerHost, peerPort); + + if (!sslConfig.disableHostVerification()) { + SSLParameters sslParameters = sslEngine.getSSLParameters(); + // only available since Java 7 + sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); + sslEngine.setSSLParameters(sslParameters); + } + + sslEngine.setUseClientMode(true); + + // set Security property jdk.certpath.disabledAlgorithms to disable specific ssl algorithms + sslEngine.setEnabledProtocols(sslEngine.getEnabledProtocols()); + + // set Security property jdk.tls.disabledAlgorithms to disable specific cipher suites + sslEngine.setEnabledCipherSuites(sslEngine.getEnabledCipherSuites()); + sslEngine.setEnableSessionCreation(true); + + // Add SSL handler into pipeline + SslHandler sslHandler = new SslHandler(sslEngine); + sslHandler.setHandshakeTimeoutMillis(sslConfig.getHandshakeTimeout()); + + // Add a listener for SSL Handshake complete. The Drill client handshake will be enabled only + // after this is done. + sslHandler.handshakeFuture().addListener(sslHandshakeListener); + pipe.addFirst(RpcConstants.SSL_HANDLER, sslHandler); + } + logger.debug(sslConfig.toString()); + } + + @Override protected boolean isSslEnabled() { + return sslConfig.isUserSslEnabled(); + } + + @Override public void setSslChannel(Channel c) { + sslChannel = c; + return; --- End diff -- _return_ not required
---