dombizita opened a new pull request, #10192:
URL: https://github.com/apache/ozone/pull/10192
## What changes were proposed in this pull request?
The gRPC server TLS setup applies the configured cipher list directly when
building the Netty OpenSSL context. If any configured cipher is unsupported
(and there is no supported cipher in the list before that), TLS context
creation throws an error and SCM startup fails. Unsupported ciphers in the
configured list should be filtered out and service startup should continue if
at least one valid cipher remains.
Instead of this:
```
sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers());
```
It should use Netty `SupportedCipherSuiteFilter.INSTANCE` when applying
configured cipher lists in gRPC server TLS context builders:
```
sslContextBuilder.ciphers(
securityConfig.getGrpcTlsCiphers(),
SupportedCipherSuiteFilter.INSTANCE);
```
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-15176
## How was this patch tested?
Added a unit test for this scenario, which was failing before applying the
fix. Green CI on my fork:
https://github.com/dombizita/ozone/actions/runs/25378217331
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
