[
https://issues.apache.org/jira/browse/DRILL-8447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17781421#comment-17781421
]
James Turton commented on DRILL-8447:
-------------------------------------
Hi, in DRILL-8452 we did a lot of library uprgades including, by chance, the
changes you mention here. Can you run a test using a snapshot of the Drill
master branch? I can also upload a snapshot build for you if that would be
helpful.
> Jetty TLS support broken for server certificate with multiple SANs
> ------------------------------------------------------------------
>
> Key: DRILL-8447
> URL: https://issues.apache.org/jira/browse/DRILL-8447
> Project: Apache Drill
> Issue Type: Bug
> Components: Server, Web Server
> Affects Versions: 1.21.1
> Reporter: Lev C
> Assignee: James Turton
> Priority: Minor
>
> The update of Jetty dependency to version 9.4 (DRILL-7135) has led to Drill
> no longer supporting a TLS server certificate with multiple Subject Alternate
> Name (SAN) values.
> If you try to use a keystore containing a single cert with multiple SANs, you
> get the following error on startup of the Drillbit:
>
> {code:java}
> [main] ERROR o.apache.drill.exec.server.Drillbit - Failure during initial
> startup of Drillbit.
> java.lang.illegalStateException: KeyStores with multiple certificates are not
> supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory.
> (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or
> org.eclipse.jetty.util.SslContextFactory$Client instead){code}
> It appears that Jetty version 9.4 has deprecated the
> org.eclipse.jetty.util.ssl.SslContextFactory class, and Drill should now use
> the org.eclipse.jetty.util.ssl.SslContextFactory.Server class instead.
>
> I was unable to find a Drill configuration file to change which class is used
> (eg an instance of jetty-ssl.xml), and it looks like the specific
> SslContextFactory class is hardcoded in
> org.apache.drill.exec.server.rest.ssl.SslContextFactoryConfigurator:
> {code:java}
> public SslContextFactory configureNewSslContextFactory() throws Exception {
>
> SSLConfig sslConf = new SSLConfigBuilder()
> .config(config)
> .mode(SSLConfig.Mode.SERVER)
> .initializeSSLContext(false)
> .validateKeyStore(true)
> .build();
> final SslContextFactory sslContextFactory = new SslContextFactory();
> if (sslConf.isSslValid()) {
> useOptionsConfiguredByUser(sslContextFactory, sslConf);
> } else {
> useAutoGeneratedSelfSignedCertificate(sslContextFactory);
> }
> return sslContextFactory;
> } {code}
> Relevant links for other products affected by the same issue:
> https://issues.apache.org/jira/browse/NIFI-7730
> [https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certificates-are-not-supported/1489]
> [https://community.microfocus.com/adtd/sws-qc/f/itrc-895/513861/java-lang-illegalstateexception-keystores-with-multiple-certificates-are-not-supported-on-the-base-class-org-eclipse-jetty-util-ssl-sslcontextfactory]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
