Igor Guzenko created DRILL-7625:
-----------------------------------
Summary: Add options for SslContextFactory
Key: DRILL-7625
URL: https://issues.apache.org/jira/browse/DRILL-7625
Project: Apache Drill
Issue Type: Sub-task
Affects Versions: 1.18.0
Reporter: Igor Guzenko
Assignee: Igor Guzenko
Purpose of the ticket is to add the following options for Jetty's SSL context
factory under
common options path *drill.exec.http.jetty.server.sslContextFactory*
{code:none}
jetty: {
server: {
# Optional params to set on Jetty's
org.eclipse.jetty.util.ssl.SslContextFactory
# when drill.exec.http.ssl_enabled
sslContextFactory: {
# allows to specify cert to use when multiple non-SNI certificates
are available.
certAlias: "certAlias",
# path to file that contains Certificate Revocation List
crlPath: "/etc/file.crl",
# enable Certificate Revocation List Distribution Points Support
enableCRLDP: false,
# enable On-Line Certificate Status Protocol support
enableOCSP: false,
# when set to "HTTPS" hostname verification will be enabled
endpointIdentificationAlgorithm: "HTTPS",
# accepts exact cipher suite names and/or regular expressions.
excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
# list of TLS/SSL protocols to exclude
excludeProtocols: ["TLSv1.1"],
# accepts exact cipher suite names and/or regular expressions.
includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
# list of TLS/SSL protocols to include
includeProtocols: ["TLSv1.2", "TLSv1.3"],
# the algorithm name (default "SunX509") used by
# the javax.net.ssl.KeyManagerFactory
keyManagerFactoryAlgorithm: "SunX509",
# classname of custom java.security.Provider implementation
keyStoreProvider: "fully.qualified.class.Name",
# type of key store (default "JKS")
keyStoreType: "JKS",
# max number of intermediate certificates in sertificate chain
maxCertPathLength: -1,
# set true if ssl needs client authentication
needClientAuth: false,
# location of the OCSP Responder
ocspResponderURL: "",
# javax.net.ssl.SSLContext provider class name
provider: "fully.qualified.class.Name",
# whether TLS renegotiation is allowed
renegotiationAllowed: false,
# number of renegotions allowed for this connection (-1 for
unlimited, default 5) .
renegotiationLimit: 5,
# algorithm name for java.security.SecurityRandom instances.
secureRandomAlgorithm: "NativePRNG",
# set the flag to enable SSL Session caching
sessionCachingEnabled: false,
# set if you want to bound session cache size
sslSessionCacheSize: -1,
# session timeout in seconds.
sslSessionTimeout: -1,
# the algorithm name (default "SunX509") used
# by the javax.net.ssl.TrustManagerFactory
trustManagerFactoryAlgorithm: "SunX509",
# provider of the trust store
trustStoreProvider: "fully.qualified.class.Name",
# type of the trust store (default "JKS")
trustStoreType: "JKS",
# sets whether the local cipher suites preference should be honored.
useCipherSuiteOrder: false,
# true if SSL certificates have to be validated
validateCerts: false,
# true if SSL certificates of the peer have to be validated
validatePeerCerts: false,
# true if SSL wants client authentication.
wantClientAuth: false
}
}
}
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
