bbeaudreault commented on code in PR #5363: URL: https://github.com/apache/hbase/pull/5363#discussion_r1300378770
########## hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java: ########## @@ -234,11 +272,23 @@ public static SslContext createSslContextForClient(Configuration config) sslContextBuilder.enableOcsp(sslOcspEnabled); sslContextBuilder.protocols(getEnabledProtocols(config)); - sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(config))); + sslContextBuilder.ciphers(Arrays.asList(getCipherSuites(config, useOpenSsl))); return sslContextBuilder.build(); } + private static boolean configureOpenSslIfAvailable(SslContextBuilder sslContextBuilder, + Configuration conf) { + if (OpenSsl.isAvailable() && conf.getBoolean(TLS_USE_OPENSSL, true)) { + LOG.debug("Using netty-tcnative to accelerate TLS handling"); + sslContextBuilder.sslProvider(SslProvider.OPENSSL); + return true; + } else { + sslContextBuilder.sslProvider(SslProvider.JDK); Review Comment: The [default behavior](https://github.com/netty/netty/blob/4.1/handler/src/main/java/io/netty/handler/ssl/SslContext.java#L124-L130) is to use OPENSSL if its detected on the classpath. This is not safe for us because of the need to use `DEFAULT_CIPHERS_OPENSSL` when using openssl given our typical default ciphers. We could change our default ciphers overall, or simply `getDefaultCipherSuites` above to use just OpenSsl.isAvailable(). I prefer the config option as it gives users the ability to test and rollout tcnative if they desire, without needing to mess with the classpath. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org