bbeaudreault commented on code in PR #5363:
URL: https://github.com/apache/hbase/pull/5363#discussion_r1300378770
##########
hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java:
##########
@@ -234,11 +272,23 @@ public static SslContext
createSslContextForClient(Configuration config)
sslContextBuilder.enableOcsp(sslOcspEnabled);
sslContextBuilder.protocols(getEnabledProtocols(config));
- sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(config)));
+ sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(config,
useOpenSsl)));
return sslContextBuilder.build();
}
+ private static boolean configureOpenSslIfAvailable(SslContextBuilder
sslContextBuilder,
+ Configuration conf) {
+ if (OpenSsl.isAvailable() && conf.getBoolean(TLS_USE_OPENSSL, true)) {
+ LOG.debug("Using netty-tcnative to accelerate TLS handling");
+ sslContextBuilder.sslProvider(SslProvider.OPENSSL);
+ return true;
+ } else {
+ sslContextBuilder.sslProvider(SslProvider.JDK);
Review Comment:
The [default
behavior](https://github.com/netty/netty/blob/4.1/handler/src/main/java/io/netty/handler/ssl/SslContext.java#L124-L130)
is to use OPENSSL if its detected on the classpath. This is not safe for us
because of the need to use `DEFAULT_CIPHERS_OPENSSL` when using openssl given
our typical default ciphers. We could change our default ciphers overall, or
simply `getDefaultCipherSuites` above to use just OpenSsl.isAvailable(). I
prefer the config option as it gives users the ability to test and rollout
tcnative if they desire, without needing to mess with the classpath.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
