[jira] [Commented] (DRILL-7625) Add options for SslContextFactory

Thu, 05 Mar 2020 05:26:10 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-7625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17052126#comment-17052126
 ] 

ASF GitHub Bot commented on DRILL-7625:
---------------------------------------

vvysotskyi commented on pull request #2012: DRILL-7625: Add options for 
SslContextFactory
URL: https://github.com/apache/drill/pull/2012#discussion_r388274269
 
 

 ##########
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfigurator.java
 ##########
 @@ -0,0 +1,202 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.server.rest.ssl;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.ssl.SSLConfig;
+import org.apache.drill.exec.ssl.SSLConfigBuilder;
+import org.bouncycastle.asn1.x500.X500NameBuilder;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.joda.time.DateTime;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.List;
+import java.util.function.Consumer;
+import java.util.function.Function;
+
+public class SslContextFactoryConfigurator {
+  private static final Logger logger = 
LoggerFactory.getLogger(SslContextFactoryConfigurator.class);
+
+  private final DrillConfig config;
+  private final String drillbitEndpointAddress;
+
+  public SslContextFactoryConfigurator(DrillConfig config, String 
drillbitEndpointAddress) {
+    this.config = config;
+    this.drillbitEndpointAddress = drillbitEndpointAddress;
+  }
+
+  public SslContextFactory configureNewSslContextFactory() throws Exception {
+    SSLConfig sslConf = new SSLConfigBuilder()
+        .config(config).mode(SSLConfig.Mode.SERVER)
+        .initializeSSLContext(false).validateKeyStore(true)
 
 Review comment:
   ```suggestion
           .config(config)
           .mode(SSLConfig.Mode.SERVER)
           .initializeSSLContext(false)
           .validateKeyStore(true)
   ```
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Add options for SslContextFactory
> ---------------------------------
>
>                 Key: DRILL-7625
>                 URL: https://issues.apache.org/jira/browse/DRILL-7625
>             Project: Apache Drill
>          Issue Type: Sub-task
>    Affects Versions: 1.18.0
>            Reporter: Igor Guzenko
>            Assignee: Igor Guzenko
>            Priority: Major
>             Fix For: 1.18.0
>
>
> Purpose of the ticket is to add the following options for Jetty's SSL context 
> factory under
> common options path *drill.exec.http.jetty.server.sslContextFactory*
>  
> {code:none}
>     jetty: {
>       server: {
>         # Optional params to set on Jetty's 
> org.eclipse.jetty.util.ssl.SslContextFactory 
>         # when drill.exec.http.ssl_enabled
>         sslContextFactory: {
>           # allows to specify cert to use when multiple non-SNI certificates 
> are available.
>           certAlias: "certAlias",
>           
>           # path to file that contains Certificate Revocation List
>           crlPath: "/etc/file.crl",
>  
>           # enable Certificate Revocation List Distribution Points Support
>           enableCRLDP: false,
>           # enable On-Line Certificate Status Protocol support
>           enableOCSP: false,
>           # when set to "HTTPS" hostname verification will be enabled
>           endpointIdentificationAlgorithm: "HTTPS",
>           # accepts exact cipher suite names and/or regular expressions.
>           excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
>           # list of TLS/SSL protocols to exclude
>           excludeProtocols: ["TLSv1.1"],
>           # accepts exact cipher suite names and/or regular expressions.
>           includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 
> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
>           # list of TLS/SSL protocols to include
>           includeProtocols: ["TLSv1.2", "TLSv1.3"],
>           # the algorithm name (default "SunX509") used by 
>           # the javax.net.ssl.KeyManagerFactory
>           keyManagerFactoryAlgorithm: "SunX509",
>           # classname of custom java.security.Provider implementation
>           keyStoreProvider: "fully.qualified.class.Name",
>           # type of key store (default "JKS")
>           keyStoreType: "JKS",
>           # max number of intermediate certificates in sertificate chain
>           maxCertPathLength: -1,
>           # set true if ssl needs client authentication
>           needClientAuth: false,
>           # location of the OCSP Responder
>           ocspResponderURL: "",
>           # javax.net.ssl.SSLContext provider class name
>           provider: "fully.qualified.class.Name",
>           # whether TLS renegotiation is allowed
>           renegotiationAllowed: false,
>           # number of renegotions allowed for this connection (-1 for 
> unlimited, default 5) .
>           renegotiationLimit: 5,
>           # algorithm name for java.security.SecurityRandom instances.
>            secureRandomAlgorithm: "NativePRNG",
>    
>           # set the flag to enable SSL Session caching
>           sessionCachingEnabled: false,
>    
>           # set if you want to bound session cache size
>           sslSessionCacheSize: -1,
>    
>          # session timeout in seconds.
>           sslSessionTimeout: -1,
>   
>         # the algorithm name (default "SunX509") used 
>         # by the javax.net.ssl.TrustManagerFactory
>           trustManagerFactoryAlgorithm: "SunX509",
>           # provider of the trust store
>           trustStoreProvider: "fully.qualified.class.Name",
>           # type of the trust store (default "JKS")
>           trustStoreType: "JKS",
>           # sets whether the local cipher suites preference should be honored.
>           useCipherSuiteOrder: false,
>           # true if SSL certificates have to be validated
>           validateCerts: false,
>           # true if SSL certificates of the peer have to be validated
>           validatePeerCerts: false,
>           # true if SSL wants client authentication.
>           wantClientAuth: false
>         }
>       }
>     }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to