Github user yanghua commented on a diff in the pull request:
https://github.com/apache/flink/pull/6328#discussion_r202506709
--- Diff:
flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
@@ -163,80 +163,157 @@ public static void
setSSLVerifyHostname(Configuration sslConfig, SSLParameters s
}
/**
- * Creates the SSL Context for the client if SSL is configured.
+ * SSL engine provider.
+ */
+ public enum SSLProvider {
+ JDK,
+ /**
+ * OpenSSL with fallback to JDK if not available.
+ */
+ OPENSSL;
+
+ public static SSLProvider fromString(String value) {
+ Preconditions.checkNotNull(value);
+ if (value.equalsIgnoreCase("OPENSSL")) {
+ return OPENSSL;
+ } else if (value.equalsIgnoreCase("JDK")) {
+ return JDK;
+ } else {
+ throw new IllegalArgumentException("Unknown SSL
provider: " + value);
+ }
+ }
+ }
+
+ /**
+ * Instances needed to set up an SSL client connection.
+ */
+ public static class SSLClientTools {
+ public final SSLProvider preferredSslProvider;
+ public final String sslProtocolVersion;
+ public final TrustManagerFactory trustManagerFactory;
+
+ public SSLClientTools(
+ SSLProvider preferredSslProvider,
+ String sslProtocolVersion,
+ TrustManagerFactory trustManagerFactory) {
+ this.preferredSslProvider = preferredSslProvider;
+ this.sslProtocolVersion = sslProtocolVersion;
+ this.trustManagerFactory = trustManagerFactory;
+ }
+ }
+
+ /**
+ * Creates necessary helper objects to use for creating an SSL Context
for the client if SSL is
+ * configured.
*
* @param sslConfig
* The application configuration
- * @return The SSLContext object which can be used by the ssl transport
client
- * Returns null if SSL is disabled
+ * @return The SSLClientTools object which can be used for creating
some SSL context object;
+ * returns <tt>null</tt> if SSL is disabled.
* @throws Exception
* Thrown if there is any misconfiguration
*/
@Nullable
- public static SSLContext createSSLClientContext(Configuration
sslConfig) throws Exception {
-
+ public static SSLClientTools createSSLClientTools(Configuration
sslConfig) throws Exception {
Preconditions.checkNotNull(sslConfig);
- SSLContext clientSSLContext = null;
if (getSSLEnabled(sslConfig)) {
LOG.debug("Creating client SSL context from
configuration");
String trustStoreFilePath =
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE);
String trustStorePassword =
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
String sslProtocolVersion =
sslConfig.getString(SecurityOptions.SSL_PROTOCOL);
+ SSLProvider sslProvider =
SSLProvider.fromString(sslConfig.getString(SecurityOptions.SSL_PROVIDER));
Preconditions.checkNotNull(trustStoreFilePath,
SecurityOptions.SSL_TRUSTSTORE.key() + " was not configured.");
Preconditions.checkNotNull(trustStorePassword,
SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key() + " was not configured.");
KeyStore trustStore =
KeyStore.getInstance(KeyStore.getDefaultType());
- FileInputStream trustStoreFile = null;
- try {
- trustStoreFile = new FileInputStream(new
File(trustStoreFilePath));
+ try (FileInputStream trustStoreFile = new
FileInputStream(new File(trustStoreFilePath))) {
trustStore.load(trustStoreFile,
trustStorePassword.toCharArray());
- } finally {
- if (trustStoreFile != null) {
- trustStoreFile.close();
- }
}
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
- clientSSLContext =
SSLContext.getInstance(sslProtocolVersion);
- clientSSLContext.init(null,
trustManagerFactory.getTrustManagers(), null);
+ return new SSLClientTools(sslProvider,
sslProtocolVersion, trustManagerFactory);
}
- return clientSSLContext;
+ return null;
}
/**
- * Creates the SSL Context for the server if SSL is configured.
+ * Creates the SSL Context for the client if SSL is configured.
*
* @param sslConfig
* The application configuration
- * @return The SSLContext object which can be used by the ssl transport
server
+ * @return The SSLContext object which can be used by the ssl transport
client
* Returns null if SSL is disabled
* @throws Exception
* Thrown if there is any misconfiguration
*/
@Nullable
- public static SSLContext createSSLServerContext(Configuration
sslConfig) throws Exception {
+ public static SSLContext createSSLClientContext(Configuration
sslConfig) throws Exception {
+ Preconditions.checkNotNull(sslConfig);
+ SSLContext clientSSLContext = null;
+
+ if (getSSLEnabled(sslConfig)) {
+ SSLClientTools clientTools =
createSSLClientTools(sslConfig);
+ clientSSLContext =
SSLContext.getInstance(clientTools.sslProtocolVersion);
+ clientSSLContext.init(null,
clientTools.trustManagerFactory.getTrustManagers(), null);
+ }
+
+ return clientSSLContext;
+ }
+
+ /**
+ * Instances needed to set up an SSL client connection.
+ */
+ public static class SSLServerTools {
+ public final SSLProvider preferredSslProvider;
+ public final String sslProtocolVersion;
+ public final String[] ciphers;
+ public final KeyManagerFactory keyManagerFactory;
+
+ public SSLServerTools(
+ SSLProvider preferredSslProvider,
+ String sslProtocolVersion,
+ String[] ciphers,
+ KeyManagerFactory keyManagerFactory) {
+ this.preferredSslProvider = preferredSslProvider;
+ this.sslProtocolVersion = sslProtocolVersion;
+ this.ciphers = ciphers;
+ this.keyManagerFactory = keyManagerFactory;
+ }
+ }
+
+ /**
+ * Creates necessary helper objects to use for creating an SSL Context
for the server if SSL is
+ * configured.
+ *
+ * @param sslConfig
+ * The application configuration
--- End diff --
do not need linefeed
---
