[
https://issues.apache.org/jira/browse/RATIS-2537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tsz-wo Sze updated RATIS-2537:
------------------------------
Attachment: 1462_review.patch
> Support configurable gRPC TLS provider and cipher suites
> --------------------------------------------------------
>
> Key: RATIS-2537
> URL: https://issues.apache.org/jira/browse/RATIS-2537
> Project: Ratis
> Issue Type: Improvement
> Components: gRPC
> Affects Versions: 3.2.2
> Reporter: Haonan Hou
> Assignee: Haonan Hou
> Priority: Major
> Attachments: 1462_review.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> *Description*
> Ratis gRPC TLS currently does not allow users to configure the underlying TLS
> provider or cipher suites.
> In Ratis 3.2.2, server-side TLS explicitly uses Netty OPENSSL:
> {{}}
> {code:java}
> GrpcSslContexts.configure(b, OPENSSL){code}
> {{{}{}}}Client-side TLS uses GrpcSslContexts.forClient(), which also prefers
> OPENSSL when available.
> This makes it hard for downstream projects to use JDK/JSSE providers such as
> BCJSSE, OpenJSSE, or other custom providers, and also prevents configuring
> compliance-specific TLS protocols and cipher suites.
> *Request*
> Please expose configuration options for:
> {code:java}
> raft.grpc.tls.ssl.provider=JDK|OPENSSL|OPENSSL_REFCNT
> raft.grpc.tls.jsse.provider.name=BCJSSE
> raft.grpc.tls.protocols=TLSv1.3,TLSv1.2
> raft.grpc.tls.cipher.suites=...{code}
> When unset, current behavior should remain unchanged.
> *Expected*
> Ratis gRPC client and server should both be able to use configurable TLS
> provider, JSSE provider, protocols, and cipher suites.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
