(hbase) branch master updated: HBASE-30212 Netty should allow every supported TLS ciphers by default (#8326)

Tue, 09 Jun 2026 04:19:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

meszibalu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new aba87bcbdca HBASE-30212 Netty should allow every supported TLS ciphers 
by default (#8326)
aba87bcbdca is described below

commit aba87bcbdcabbfd2aef65151e7403abd8bac3d44
Author: Balazs Meszaros <[email protected]>
AuthorDate: Tue Jun 9 13:19:18 2026 +0200

    HBASE-30212 Netty should allow every supported TLS ciphers by default 
(#8326)
    
    Netty will allow to use every supported cipher at the client side by
    default, so clients can use the widest range of ciphers.
    
    Signed-off-by: Dávid Paksy <[email protected]>
    Signed-off-by: Peter Somogyi <[email protected]>
---
 .../java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
 
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
index b06d4aa0d32..d6be0eed844 100644
--- 
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
+++ 
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -47,6 +47,7 @@ import org.apache.yetus.audience.InterfaceAudience;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import 
org.apache.hbase.thirdparty.io.netty.handler.ssl.IdentityCipherSuiteFilter;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.OpenSsl;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder;
@@ -210,7 +211,14 @@ public final class X509Util {
       sslContextBuilder.protocols(enabledProtocols);
     }
     String[] cipherSuites = getCipherSuites(config);
-    if (cipherSuites != null) {
+    if (cipherSuites == null) {
+      /*
+       * if cipher list is not explicitly defined, we use the most inclusive 
cipher list at the
+       * client side
+       */
+      sslContextBuilder.ciphers(null,
+        IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS);
+    } else {
       sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
     }

Reply via email to