(hbase) branch branch-3 updated: HBASE-30212 Netty should allow every supported TLS ciphers by default

Tue, 09 Jun 2026 04:22:06 -0700 

This is an automated email from the ASF dual-hosted git repository.

asf-gitbox-commits pushed a commit to branch branch-3
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/branch-3 by this push:
     new 8695d15993d HBASE-30212 Netty should allow every supported TLS ciphers 
by default
8695d15993d is described below

commit 8695d15993dde53300c714de054c3e4d2bd809b2
Author: Balazs Meszaros <[email protected]>
AuthorDate: Tue Jun 9 10:47:46 2026 +0200

    HBASE-30212 Netty should allow every supported TLS ciphers by default
    
    Netty will allow to use every supported cipher at the client side by
    default, so clients can use the widest range of ciphers.
---
 .../java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
 
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
index b06d4aa0d32..d6be0eed844 100644
--- 
a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
+++ 
b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -47,6 +47,7 @@ import org.apache.yetus.audience.InterfaceAudience;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import 
org.apache.hbase.thirdparty.io.netty.handler.ssl.IdentityCipherSuiteFilter;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.OpenSsl;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
 import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder;
@@ -210,7 +211,14 @@ public final class X509Util {
       sslContextBuilder.protocols(enabledProtocols);
     }
     String[] cipherSuites = getCipherSuites(config);
-    if (cipherSuites != null) {
+    if (cipherSuites == null) {
+      /*
+       * if cipher list is not explicitly defined, we use the most inclusive 
cipher list at the
+       * client side
+       */
+      sslContextBuilder.ciphers(null,
+        IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS);
+    } else {
       sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
     }

Reply via email to