[jira] [Created] (DRILL-8447) Jetty TLS support broken for server certificate with multiple SANs

Tue, 04 Jul 2023 22:51:04 -0700 

Lev C created DRILL-8447:
----------------------------

             Summary: Jetty TLS support broken for server certificate with 
multiple SANs
                 Key: DRILL-8447
                 URL: https://issues.apache.org/jira/browse/DRILL-8447
             Project: Apache Drill
          Issue Type: Bug
          Components:  Server, Web Server
    Affects Versions: 1.21.1
            Reporter: Lev C


The update of Jetty dependency to version 9.4 (DRILL-7135) has led to Drill no 
longer supporting a TLS server certificate with multiple Subject Alternate Name 
(SAN) values.

If you try to use a keystore containing a single cert with multiple SANs, you 
get the following error on startup of the Drillbit:

 
{code:java}
[main] ERROR o.apache.drill.exec.server.Drillbit - Failure during initial 
startup of Drillbit.
java.lang.illegalStateException: KeyStores with multiple certificates are not 
supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use 
org.eclipse.jetty.util.ssl.SslContextFactory$Server or 
org.eclipse.jetty.util.SslContextFactory$Client instead){code}
It appears that Jetty version 9.4 has deprecated the 
org.eclipse.jetty.util.ssl.SslContextFactory class, and Drill should now use 
the org.eclipse.jetty.util.ssl.SslContextFactory.Server class instead.

 

I was unable to find a Drill configuration file to change which class is used 
(eg an instance of jetty-ssl.xml), and it looks like the specific 
SslContextFactory class is hardcoded in 
org.apache.drill.exec.server.rest.ssl.SslContextFactoryConfigurator:
{code:java}
public SslContextFactory configureNewSslContextFactory() throws Exception {    
  SSLConfig sslConf = new SSLConfigBuilder()
        .config(config)
        .mode(SSLConfig.Mode.SERVER)
        .initializeSSLContext(false)
        .validateKeyStore(true)
        .build();    
  final SslContextFactory sslContextFactory = new SslContextFactory();
  if (sslConf.isSslValid()) {
    useOptionsConfiguredByUser(sslContextFactory, sslConf);
  } else {
    useAutoGeneratedSelfSignedCertificate(sslContextFactory);
  }
  return sslContextFactory;  
} {code}
Relevant links for other products affected by the same issue:

https://issues.apache.org/jira/browse/NIFI-7730 

[https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certificates-are-not-supported/1489]

[https://community.microfocus.com/adtd/sws-qc/f/itrc-895/513861/java-lang-illegalstateexception-keystores-with-multiple-certificates-are-not-supported-on-the-base-class-org-eclipse-jetty-util-ssl-sslcontextfactory]
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to