[
https://issues.apache.org/jira/browse/RATIS-2537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18081911#comment-18081911
]
Tsz-wo Sze commented on RATIS-2537:
-----------------------------------
[~haonan], thanks for reporting this JIRA! Are you interested in submitting a
PR? If not, I am happy to do it.
> Support configurable gRPC TLS provider and cipher suites
> --------------------------------------------------------
>
> Key: RATIS-2537
> URL: https://issues.apache.org/jira/browse/RATIS-2537
> Project: Ratis
> Issue Type: Improvement
> Components: gRPC
> Affects Versions: 3.2.2
> Reporter: Haonan Hou
> Priority: Major
>
> *Description*
> Ratis gRPC TLS currently does not allow users to configure the underlying TLS
> provider or cipher suites.
> In Ratis 3.2.2, server-side TLS explicitly uses Netty OPENSSL:
>
> {{GrpcSslContexts.configure(b, OPENSSL)}}
> Client-side TLS uses GrpcSslContexts.forClient(), which also prefers OPENSSL
> when available.
> This makes it hard for downstream projects to use JDK/JSSE providers such as
> BCJSSE, OpenJSSE, or other custom providers, and also prevents configuring
> compliance-specific TLS protocols and cipher suites.
> *Request*
> Please expose configuration options for:
>
> {{raft.grpc.tls.ssl.provider=JDK|OPENSSL|OPENSSL_REFCNT
> raft.grpc.tls.jsse.provider.name=BCJSSE
> raft.grpc.tls.protocols=TLSv1.3,TLSv1.2
> raft.grpc.tls.cipher.suites=...}}
> When unset, current behavior should remain unchanged.
> *Expected*
> Ratis gRPC client and server should both be able to use configurable TLS
> provider, JSSE provider, protocols, and cipher suites.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
