[
https://issues.apache.org/jira/browse/HDDS-15176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zita Dombi updated HDDS-15176:
------------------------------
Description:
The gRPC server TLS setup applies configured ciphers directly using Netty
OpenSSL context creation with strict conversion. If any configured cipher is
unsupported (and there is no supported cipher in the list before that), TLS
context creation throws an error and SCM startup fails.
Unsupported ciphers in the configured list should be filtered out and service
startup should continue if at least one valid cipher remains.
Instead of this:
{code:java}
sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); {code}
It should use Netty SupportedCipherSuiteFilter.INSTANCE when applying
configured cipher lists in gRPC server TLS context builders:
{code:java}
sslContextBuilder.ciphers(
securityConfig.getGrpcTlsCiphers(),
SupportedCipherSuiteFilter.INSTANCE); {code}
was:
The gRPC server TLS setup applies configured ciphers directly using Netty
OpenSSL context creation with strict conversion. If any configured cipher is
unsupported (and there is no supported cipher in the list before that), TLS
context creation throws an error and SCM startup fails.
Unsupported ciphers in the configured list should be filtered out and service
startup should continue if at least one valid cipher remains.
Instead of this:
{code:java}
sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); {code}
It should use Netty SupportedCipherSuiteFilter.INSTANCE when applying
configured cipher lists in gRPC server TLS context builders:
{code:java}
sslContextBuilder.ciphers(
securityConfig.getGrpcTlsCiphers(),
SupportedCipherSuiteFilter.INSTANCE); {code}
> Ozone SCM fails to start when gRPC cipher policy includes unsupported cipher
> ----------------------------------------------------------------------------
>
> Key: HDDS-15176
> URL: https://issues.apache.org/jira/browse/HDDS-15176
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Zita Dombi
> Assignee: Zita Dombi
> Priority: Major
>
> The gRPC server TLS setup applies configured ciphers directly using Netty
> OpenSSL context creation with strict conversion. If any configured cipher is
> unsupported (and there is no supported cipher in the list before that), TLS
> context creation throws an error and SCM startup fails.
> Unsupported ciphers in the configured list should be filtered out and service
> startup should continue if at least one valid cipher remains.
> Instead of this:
> {code:java}
> sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); {code}
> It should use Netty SupportedCipherSuiteFilter.INSTANCE when applying
> configured cipher lists in gRPC server TLS context builders:
> {code:java}
> sslContextBuilder.ciphers(
> securityConfig.getGrpcTlsCiphers(),
> SupportedCipherSuiteFilter.INSTANCE); {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
