Lev C created DRILL-8447: ---------------------------- Summary: Jetty TLS support broken for server certificate with multiple SANs Key: DRILL-8447 URL: https://issues.apache.org/jira/browse/DRILL-8447 Project: Apache Drill Issue Type: Bug Components: Server, Web Server Affects Versions: 1.21.1 Reporter: Lev C
The update of Jetty dependency to version 9.4 (DRILL-7135) has led to Drill no longer supporting a TLS server certificate with multiple Subject Alternate Name (SAN) values. If you try to use a keystore containing a single cert with multiple SANs, you get the following error on startup of the Drillbit: {code:java} [main] ERROR o.apache.drill.exec.server.Drillbit - Failure during initial startup of Drillbit. java.lang.illegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.SslContextFactory$Client instead){code} It appears that Jetty version 9.4 has deprecated the org.eclipse.jetty.util.ssl.SslContextFactory class, and Drill should now use the org.eclipse.jetty.util.ssl.SslContextFactory.Server class instead. I was unable to find a Drill configuration file to change which class is used (eg an instance of jetty-ssl.xml), and it looks like the specific SslContextFactory class is hardcoded in org.apache.drill.exec.server.rest.ssl.SslContextFactoryConfigurator: {code:java} public SslContextFactory configureNewSslContextFactory() throws Exception { SSLConfig sslConf = new SSLConfigBuilder() .config(config) .mode(SSLConfig.Mode.SERVER) .initializeSSLContext(false) .validateKeyStore(true) .build(); final SslContextFactory sslContextFactory = new SslContextFactory(); if (sslConf.isSslValid()) { useOptionsConfiguredByUser(sslContextFactory, sslConf); } else { useAutoGeneratedSelfSignedCertificate(sslContextFactory); } return sslContextFactory; } {code} Relevant links for other products affected by the same issue: https://issues.apache.org/jira/browse/NIFI-7730 [https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certificates-are-not-supported/1489] [https://community.microfocus.com/adtd/sws-qc/f/itrc-895/513861/java-lang-illegalstateexception-keystores-with-multiple-certificates-are-not-supported-on-the-base-class-org-eclipse-jetty-util-ssl-sslcontextfactory] -- This message was sent by Atlassian Jira (v8.20.10#820010)