[
https://issues.apache.org/jira/browse/HBASE-28008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756030#comment-17756030
]
Bryan Beaudreault commented on HBASE-28008:
-------------------------------------------
[~zhangduo] any thoughts on how to add tcnative to hbase-thirdparty? tcnative
is a mixture of native libs and java classes. We need to shade the java classes
and rename the library so files.
There are two common options: statically linked using boringssl and dynamically
linked using openssl (which requires the libs to be in place on the server
separately).
In my environment I had trouble using OpenSSL because of version conflicts with
what version tcnative expects and what my OS provides. So I'm using BoringSSL,
and thinking of adding a new hbase-shaded-netty-tcnative in hbase-thirdparty,
which has the following:
{code:java}
<dependencies>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<version>${tcnative.version}</version>
<classifier>linux-x86_64</classifier>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<version>${tcnative.version}</version>
<classifier>linux-aarch_64</classifier>
</dependency>
</dependencies> {code}
This will be easy for anyone to use if they are on our usually supported
architectures, but it requires using boringssl. I'm not sure if we need to
provide an option for OpenSSL, and if so how? Two modules?
hbase-shaded-netty-tcnative-boringssl and -openssl?
Any opinions?
> Add support for tcnative
> ------------------------
>
> Key: HBASE-28008
> URL: https://issues.apache.org/jira/browse/HBASE-28008
> Project: HBase
> Issue Type: Improvement
> Reporter: Bryan Beaudreault
> Priority: Major
> Labels: tls
>
> In investigating HBASE-27947, tcnative can make a big impact on throughput
> over built-in jdk SSL support. We need three things to make it work:
> # In X509Util, if Openssl.isAvailable() (meaning tcnative is on the
> classpath):
> ## Use SslProvider.OPENSSL_REFCNT
> ## Update default ciphers to remove CBC ciphers, which do not work with
> tcnative. We can either pull the ciphers from
> OpenSsl.availableJavaCipherSuites() or simply use the default GCM ciphers we
> already have defined.
> # Our netty is shaded, so one can't simply put the tcnative jar on the
> classpath. We might need to provide an hbase-shaded-netty-tcnative module
> which one can optionally include in their deployment. We will have to decide
> which of the many tcnative modules to provide a shaded version for.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
