[
https://issues.apache.org/jira/browse/DRILL-7625?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vova Vysotskyi updated DRILL-7625:
----------------------------------
Labels: ready-to-commit (was: )
> Add options for SslContextFactory
> ---------------------------------
>
> Key: DRILL-7625
> URL: https://issues.apache.org/jira/browse/DRILL-7625
> Project: Apache Drill
> Issue Type: Sub-task
> Affects Versions: 1.18.0
> Reporter: Igor Guzenko
> Assignee: Igor Guzenko
> Priority: Major
> Labels: ready-to-commit
> Fix For: 1.18.0
>
>
> Purpose of the ticket is to add the following options for Jetty's SSL context
> factory under
> common options path *drill.exec.http.jetty.server.sslContextFactory*
>
> {code:none}
> jetty: {
> server: {
> # Optional params to set on Jetty's
> org.eclipse.jetty.util.ssl.SslContextFactory
> # when drill.exec.http.ssl_enabled
> sslContextFactory: {
> # allows to specify cert to use when multiple non-SNI certificates
> are available.
> certAlias: "certAlias",
>
> # path to file that contains Certificate Revocation List
> crlPath: "/etc/file.crl",
>
> # enable Certificate Revocation List Distribution Points Support
> enableCRLDP: false,
> # enable On-Line Certificate Status Protocol support
> enableOCSP: false,
> # when set to "HTTPS" hostname verification will be enabled
> endpointIdentificationAlgorithm: "HTTPS",
> # accepts exact cipher suite names and/or regular expressions.
> excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
> # list of TLS/SSL protocols to exclude
> excludeProtocols: ["TLSv1.1"],
> # accepts exact cipher suite names and/or regular expressions.
> includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
> # list of TLS/SSL protocols to include
> includeProtocols: ["TLSv1.2", "TLSv1.3"],
> # the algorithm name (default "SunX509") used by
> # the javax.net.ssl.KeyManagerFactory
> keyManagerFactoryAlgorithm: "SunX509",
> # classname of custom java.security.Provider implementation
> keyStoreProvider: "fully.qualified.class.Name",
> # type of key store (default "JKS")
> keyStoreType: "JKS",
> # max number of intermediate certificates in sertificate chain
> maxCertPathLength: -1,
> # set true if ssl needs client authentication
> needClientAuth: false,
> # location of the OCSP Responder
> ocspResponderURL: "",
> # javax.net.ssl.SSLContext provider class name
> provider: "fully.qualified.class.Name",
> # whether TLS renegotiation is allowed
> renegotiationAllowed: false,
> # number of renegotions allowed for this connection (-1 for
> unlimited, default 5) .
> renegotiationLimit: 5,
> # algorithm name for java.security.SecurityRandom instances.
> secureRandomAlgorithm: "NativePRNG",
>
> # set the flag to enable SSL Session caching
> sessionCachingEnabled: false,
>
> # set if you want to bound session cache size
> sslSessionCacheSize: -1,
>
> # session timeout in seconds.
> sslSessionTimeout: -1,
>
> # the algorithm name (default "SunX509") used
> # by the javax.net.ssl.TrustManagerFactory
> trustManagerFactoryAlgorithm: "SunX509",
> # provider of the trust store
> trustStoreProvider: "fully.qualified.class.Name",
> # type of the trust store (default "JKS")
> trustStoreType: "JKS",
> # sets whether the local cipher suites preference should be honored.
> useCipherSuiteOrder: false,
> # true if SSL certificates have to be validated
> validateCerts: false,
> # true if SSL certificates of the peer have to be validated
> validatePeerCerts: false,
> # true if SSL wants client authentication.
> wantClientAuth: false
> }
> }
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
