[
https://issues.apache.org/jira/browse/HDDS-15176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zita Dombi updated HDDS-15176:
------------------------------
Description:
The gRPC server TLS setup applies the configured cipher list directly when
building the Netty OpenSSL context. If any configured cipher is unsupported
(and there is no supported cipher in the list before that), TLS context
creation throws an error and SCM startup fails.
Unsupported ciphers in the configured list should be filtered out and service
startup should continue if at least one valid cipher remains.
Instead of this:
{code:java}
sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); {code}
It should use Netty SupportedCipherSuiteFilter.INSTANCE when applying
configured cipher lists in gRPC server TLS context builders:
{code:java}
sslContextBuilder.ciphers(
securityConfig.getGrpcTlsCiphers(),
SupportedCipherSuiteFilter.INSTANCE); {code}
was:
The gRPC server TLS setup applies configured ciphers directly using Netty
OpenSSL context creation with strict conversion. If any configured cipher is
unsupported (and there is no supported cipher in the list before that), TLS
context creation throws an error and SCM startup fails.
Unsupported ciphers in the configured list should be filtered out and service
startup should continue if at least one valid cipher remains.
Instead of this:
{code:java}
sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); {code}
It should use Netty SupportedCipherSuiteFilter.INSTANCE when applying
configured cipher lists in gRPC server TLS context builders:
{code:java}
sslContextBuilder.ciphers(
securityConfig.getGrpcTlsCiphers(),
SupportedCipherSuiteFilter.INSTANCE); {code}
> Ozone SCM fails to start when gRPC cipher policy list includes unsupported
> cipher
> ---------------------------------------------------------------------------------
>
> Key: HDDS-15176
> URL: https://issues.apache.org/jira/browse/HDDS-15176
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Zita Dombi
> Assignee: Zita Dombi
> Priority: Major
>
> The gRPC server TLS setup applies the configured cipher list directly when
> building the Netty OpenSSL context. If any configured cipher is unsupported
> (and there is no supported cipher in the list before that), TLS context
> creation throws an error and SCM startup fails.
> Unsupported ciphers in the configured list should be filtered out and service
> startup should continue if at least one valid cipher remains.
> Instead of this:
> {code:java}
> sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers()); {code}
> It should use Netty SupportedCipherSuiteFilter.INSTANCE when applying
> configured cipher lists in gRPC server TLS context builders:
> {code:java}
> sslContextBuilder.ciphers(
> securityConfig.getGrpcTlsCiphers(),
> SupportedCipherSuiteFilter.INSTANCE); {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
