AMashenkov commented on code in PR #1779:
URL: https://github.com/apache/ignite-3/pull/1779#discussion_r1136740014
##########
modules/network/src/main/java/org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.java:
##########
@@ -73,4 +89,23 @@ private static void
validateKeyStore(ValidationContext<AbstractSslView> ctx, Str
}
}
}
+
+ private static void validateCiphers(ValidationContext<AbstractSslView>
ctx, AbstractSslView ssl) {
+ try {
+ SslContext context = SslContextBuilder.forClient().build();
+ Set<String> supported =
Arrays.stream(context.newEngine(ByteBufAllocator.DEFAULT).getSupportedCipherSuites())
+ .filter(Objects::nonNull) // OpenSSL engine returns null
string in the array so we need to filter them out
+ .collect(Collectors.toSet());
+ Set<String> ciphers = Arrays.stream(ssl.ciphers().split(","))
+ .map(String::strip)
+ .collect(Collectors.toSet());
+ if (!supported.containsAll(ciphers)) {
Review Comment:
It is possible different JVM (or ssl libs) may have different ciphers
support.
With current approach, user may be forced to rewrite config for different
environment.
I guess at least one supported cipher is enough for establishing a
connection.
However, it make sense to log unsupported ciphers.
Will it be more user friendly, if we will filter out unsupported ciphers
from given list and fail with error only when no valid cipher found?
##########
modules/client/src/main/java/org/apache/ignite/internal/client/SslConfigurationImpl.java:
##########
@@ -72,6 +76,11 @@ public ClientAuthenticationMode clientAuthenticationMode() {
return clientAuth;
}
+ @Override
Review Comment:
/** {@inheritDoc} */
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
