Haonan Hou created RATIS-2537:
---------------------------------
Summary: Support configurable gRPC TLS provider and cipher suites
Key: RATIS-2537
URL: https://issues.apache.org/jira/browse/RATIS-2537
Project: Ratis
Issue Type: Improvement
Affects Versions: 3.2.2
Reporter: Haonan Hou
*Description*
Ratis gRPC TLS currently does not allow users to configure the underlying TLS
provider or cipher suites.
In Ratis 3.2.2, server-side TLS explicitly uses Netty OPENSSL:
{{GrpcSslContexts.configure(b, OPENSSL)}}
Client-side TLS uses GrpcSslContexts.forClient(), which also prefers OPENSSL
when available.
This makes it hard for downstream projects to use JDK/JSSE providers such as
BCJSSE, OpenJSSE, or other custom providers, and also prevents configuring
compliance-specific TLS protocols and cipher suites.
*Request*
Please expose configuration options for:
{{raft.grpc.tls.ssl.provider=JDK|OPENSSL|OPENSSL_REFCNT
raft.grpc.tls.jsse.provider.name=BCJSSE
raft.grpc.tls.protocols=TLSv1.3,TLSv1.2
raft.grpc.tls.cipher.suites=...}}
When unset, current behavior should remain unchanged.
*Expected*
Ratis gRPC client and server should both be able to use configurable TLS
provider, JSSE provider, protocols, and cipher suites.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
