Github user yanghua commented on a diff in the pull request: https://github.com/apache/flink/pull/6328#discussion_r202506709 --- Diff: flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java --- @@ -163,80 +163,157 @@ public static void setSSLVerifyHostname(Configuration sslConfig, SSLParameters s } /** - * Creates the SSL Context for the client if SSL is configured. + * SSL engine provider. + */ + public enum SSLProvider { + JDK, + /** + * OpenSSL with fallback to JDK if not available. + */ + OPENSSL; + + public static SSLProvider fromString(String value) { + Preconditions.checkNotNull(value); + if (value.equalsIgnoreCase("OPENSSL")) { + return OPENSSL; + } else if (value.equalsIgnoreCase("JDK")) { + return JDK; + } else { + throw new IllegalArgumentException("Unknown SSL provider: " + value); + } + } + } + + /** + * Instances needed to set up an SSL client connection. + */ + public static class SSLClientTools { + public final SSLProvider preferredSslProvider; + public final String sslProtocolVersion; + public final TrustManagerFactory trustManagerFactory; + + public SSLClientTools( + SSLProvider preferredSslProvider, + String sslProtocolVersion, + TrustManagerFactory trustManagerFactory) { + this.preferredSslProvider = preferredSslProvider; + this.sslProtocolVersion = sslProtocolVersion; + this.trustManagerFactory = trustManagerFactory; + } + } + + /** + * Creates necessary helper objects to use for creating an SSL Context for the client if SSL is + * configured. * * @param sslConfig * The application configuration - * @return The SSLContext object which can be used by the ssl transport client - * Returns null if SSL is disabled + * @return The SSLClientTools object which can be used for creating some SSL context object; + * returns <tt>null</tt> if SSL is disabled. * @throws Exception * Thrown if there is any misconfiguration */ @Nullable - public static SSLContext createSSLClientContext(Configuration sslConfig) throws Exception { - + public static SSLClientTools createSSLClientTools(Configuration sslConfig) throws Exception { Preconditions.checkNotNull(sslConfig); - SSLContext clientSSLContext = null; if (getSSLEnabled(sslConfig)) { LOG.debug("Creating client SSL context from configuration"); String trustStoreFilePath = sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE); String trustStorePassword = sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD); String sslProtocolVersion = sslConfig.getString(SecurityOptions.SSL_PROTOCOL); + SSLProvider sslProvider = SSLProvider.fromString(sslConfig.getString(SecurityOptions.SSL_PROVIDER)); Preconditions.checkNotNull(trustStoreFilePath, SecurityOptions.SSL_TRUSTSTORE.key() + " was not configured."); Preconditions.checkNotNull(trustStorePassword, SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key() + " was not configured."); KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); - FileInputStream trustStoreFile = null; - try { - trustStoreFile = new FileInputStream(new File(trustStoreFilePath)); + try (FileInputStream trustStoreFile = new FileInputStream(new File(trustStoreFilePath))) { trustStore.load(trustStoreFile, trustStorePassword.toCharArray()); - } finally { - if (trustStoreFile != null) { - trustStoreFile.close(); - } } TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); - clientSSLContext = SSLContext.getInstance(sslProtocolVersion); - clientSSLContext.init(null, trustManagerFactory.getTrustManagers(), null); + return new SSLClientTools(sslProvider, sslProtocolVersion, trustManagerFactory); } - return clientSSLContext; + return null; } /** - * Creates the SSL Context for the server if SSL is configured. + * Creates the SSL Context for the client if SSL is configured. * * @param sslConfig * The application configuration - * @return The SSLContext object which can be used by the ssl transport server + * @return The SSLContext object which can be used by the ssl transport client * Returns null if SSL is disabled * @throws Exception * Thrown if there is any misconfiguration */ @Nullable - public static SSLContext createSSLServerContext(Configuration sslConfig) throws Exception { + public static SSLContext createSSLClientContext(Configuration sslConfig) throws Exception { + Preconditions.checkNotNull(sslConfig); + SSLContext clientSSLContext = null; + + if (getSSLEnabled(sslConfig)) { + SSLClientTools clientTools = createSSLClientTools(sslConfig); + clientSSLContext = SSLContext.getInstance(clientTools.sslProtocolVersion); + clientSSLContext.init(null, clientTools.trustManagerFactory.getTrustManagers(), null); + } + + return clientSSLContext; + } + + /** + * Instances needed to set up an SSL client connection. + */ + public static class SSLServerTools { + public final SSLProvider preferredSslProvider; + public final String sslProtocolVersion; + public final String[] ciphers; + public final KeyManagerFactory keyManagerFactory; + + public SSLServerTools( + SSLProvider preferredSslProvider, + String sslProtocolVersion, + String[] ciphers, + KeyManagerFactory keyManagerFactory) { + this.preferredSslProvider = preferredSslProvider; + this.sslProtocolVersion = sslProtocolVersion; + this.ciphers = ciphers; + this.keyManagerFactory = keyManagerFactory; + } + } + + /** + * Creates necessary helper objects to use for creating an SSL Context for the server if SSL is + * configured. + * + * @param sslConfig + * The application configuration --- End diff -- do not need linefeed
---