Re: [PR] [CELEBORN-1351] Introduce SSLFactory and enable TLS support [celeborn]

Tue, 02 Apr 2024 09:59:12 -0700 


mridulm commented on code in PR #2438:
URL: https://github.com/apache/celeborn/pull/2438#discussion_r1548249729


##########
common/src/main/java/org/apache/celeborn/common/network/TransportContext.java:
##########
@@ -135,31 +146,53 @@ public TransportServer createServer() {
     return createServer(null, 0, Collections.emptyList());
   }
 
+  public boolean sslEncryptionEnabled() {
+    return this.sslFactory != null;
+  }
+
   public TransportChannelHandler initializePipeline(
-      SocketChannel channel, ChannelInboundHandlerAdapter decoder) {
-    return initializePipeline(channel, decoder, msgHandler);
+      SocketChannel channel, ChannelInboundHandlerAdapter decoder, boolean 
isClient) {
+    return initializePipeline(channel, decoder, msgHandler, isClient);
   }
 
   public TransportChannelHandler initializePipeline(
-      SocketChannel channel, BaseMessageHandler resolvedMsgHandler) {
-    return initializePipeline(channel, new TransportFrameDecoder(), 
resolvedMsgHandler);
+      SocketChannel channel, BaseMessageHandler resolvedMsgHandler, boolean 
isClient) {
+    return initializePipeline(channel, new TransportFrameDecoder(), 
resolvedMsgHandler, isClient);
   }
 
   public TransportChannelHandler initializePipeline(
       SocketChannel channel,
       ChannelInboundHandlerAdapter decoder,
-      BaseMessageHandler resolvedMsgHandler) {
+      BaseMessageHandler resolvedMsgHandler,
+      boolean isClient) {
     try {
       ChannelPipeline pipeline = channel.pipeline();
       if (nettyLogger.getLoggingHandler() != null) {
         pipeline.addLast("loggingHandler", nettyLogger.getLoggingHandler());
       }
+      if (sslEncryptionEnabled()) {
+        if (!isClient && !sslFactory.hasKeyManagers()) {

Review Comment:
   If I understood your query - for non client connections, we need a private 
key in order for SSL encryption.
   A client connection can also optionally provide a certificate, but it is not 
required.
   In other words, at client side, keys are not required (will use server cert 
provided as part of the handshake) - but for server, keys are mandatory and is 
used for encryption/decryption - until a session key is negotiated.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to