This is an automated email from the ASF dual-hosted git repository.
stoty pushed a commit to branch branch-3
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-3 by this push:
new 2e63952def5 HBASE-29444 Default to JRE default TLS protcol list (#7142)
2e63952def5 is described below
commit 2e63952def50ad5f56c0a49a5ffc04ae10fc4f82
Author: Istvan Toth <st...@apache.org>
AuthorDate: Mon Jul 28 08:48:00 2025 +0200
HBASE-29444 Default to JRE default TLS protcol list (#7142)
Signed-off-by: Duo Zhang <zhang...@apache.org>
(cherry picked from commit bdefd1e124912f654baeac8e5ae9229a29095017)
---
.../apache/hadoop/hbase/io/crypto/tls/X509Util.java | 19 ++++++++++++++-----
.../hadoop/hbase/io/crypto/tls/TestX509Util.java | 11 ++++++++++-
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
index a233050994f..273cf938c87 100644
---
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
+++
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -87,7 +87,6 @@ public final class X509Util {
public static final String TLS_CIPHER_SUITES = CONFIG_PREFIX +
"ciphersuites";
public static final String TLS_CERT_RELOAD = CONFIG_PREFIX + "certReload";
public static final String TLS_USE_OPENSSL = CONFIG_PREFIX + "useOpenSsl";
- public static final String DEFAULT_PROTOCOL = "TLSv1.2";
//
// Server-side specific configs
@@ -206,7 +205,10 @@ public final class X509Util {
}
sslContextBuilder.enableOcsp(sslOcspEnabled);
- sslContextBuilder.protocols(getEnabledProtocols(config));
+ String[] enabledProtocols = getEnabledProtocols(config);
+ if (enabledProtocols != null) {
+ sslContextBuilder.protocols(enabledProtocols);
+ }
String[] cipherSuites = getCipherSuites(config);
if (cipherSuites != null) {
sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
@@ -276,7 +278,10 @@ public final class X509Util {
}
sslContextBuilder.enableOcsp(sslOcspEnabled);
- sslContextBuilder.protocols(getEnabledProtocols(config));
+ String[] enabledProtocols = getEnabledProtocols(config);
+ if (enabledProtocols != null) {
+ sslContextBuilder.protocols(enabledProtocols);
+ }
String[] cipherSuites = getCipherSuites(config);
if (cipherSuites != null) {
sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
@@ -391,9 +396,13 @@ public final class X509Util {
private static String[] getEnabledProtocols(Configuration config) {
String enabledProtocolsInput = config.get(TLS_ENABLED_PROTOCOLS);
if (enabledProtocolsInput == null) {
- return new String[] { config.get(TLS_CONFIG_PROTOCOL, DEFAULT_PROTOCOL)
};
+ enabledProtocolsInput = config.get(TLS_CONFIG_PROTOCOL);
+ }
+ if (enabledProtocolsInput != null) {
+ return enabledProtocolsInput.split(",");
+ } else {
+ return null;
}
- return enabledProtocolsInput.split(",");
}
private static String[] getCipherSuites(Configuration config) {
diff --git
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
index 7f8d7c82b89..bc70b844e05 100644
---
a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
+++
b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
@@ -96,7 +96,16 @@ public class TestX509Util extends
AbstractTestX509Parameterized {
public void testCreateSSLContextWithoutCustomProtocol() throws Exception {
SslContext sslContext = X509Util.createSslContextForClient(conf);
ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
- assertArrayEquals(new String[] { X509Util.DEFAULT_PROTOCOL },
+ assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2" },
+ sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols());
+ }
+
+ @Test
+ public void testCreateTcNativeSSLContextWithoutCustomProtocol() throws
Exception {
+ conf.set(X509Util.TLS_USE_OPENSSL, "true");
+ SslContext sslContext = X509Util.createSslContextForClient(conf);
+ ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
+ assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2" },
sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols());
}
