Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.18.0
    • Fix Version/s: 1.18.0
    • Component/s: None

      Description

      Purpose of the ticket is to add the following options for Jetty's SSL context factory under
      common options path drill.exec.http.jetty.server.sslContextFactory

       

          jetty: {
            server: {
              # Optional params to set on Jetty's org.eclipse.jetty.util.ssl.SslContextFactory 
              # when drill.exec.http.ssl_enabled
              sslContextFactory: {
      
                # allows to specify cert to use when multiple non-SNI certificates are available.
                certAlias: "certAlias",
                
                # path to file that contains Certificate Revocation List
                crlPath: "/etc/file.crl",
       
                # enable Certificate Revocation List Distribution Points Support
                enableCRLDP: false,
      
                # enable On-Line Certificate Status Protocol support
                enableOCSP: false,
      
                # when set to "HTTPS" hostname verification will be enabled
                endpointIdentificationAlgorithm: "HTTPS",
      
                # accepts exact cipher suite names and/or regular expressions.
                excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
      
                # list of TLS/SSL protocols to exclude
                excludeProtocols: ["TLSv1.1"],
      
                # accepts exact cipher suite names and/or regular expressions.
                includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
      
                # list of TLS/SSL protocols to include
                includeProtocols: ["TLSv1.2", "TLSv1.3"],
      
                # the algorithm name (default "SunX509") used by 
                # the javax.net.ssl.KeyManagerFactory
                keyManagerFactoryAlgorithm: "SunX509",
      
                # classname of custom java.security.Provider implementation
                keyStoreProvider: "fully.qualified.class.Name",
      
                # type of key store (default "JKS")
                keyStoreType: "JKS",
      
                # max number of intermediate certificates in sertificate chain
                maxCertPathLength: -1,
      
                # set true if ssl needs client authentication
                needClientAuth: false,
      
                # location of the OCSP Responder
                ocspResponderURL: "",
      
                # javax.net.ssl.SSLContext provider class name
                provider: "fully.qualified.class.Name",
      
                # whether TLS renegotiation is allowed
                renegotiationAllowed: false,
      
                # number of renegotions allowed for this connection (-1 for unlimited, default 5) .
                renegotiationLimit: 5,
      
                # algorithm name for java.security.SecurityRandom instances.
                 secureRandomAlgorithm: "NativePRNG",
         
                # set the flag to enable SSL Session caching
                sessionCachingEnabled: false,
         
                # set if you want to bound session cache size
                sslSessionCacheSize: -1,
         
               # session timeout in seconds.
                sslSessionTimeout: -1,
        
              # the algorithm name (default "SunX509") used 
              # by the javax.net.ssl.TrustManagerFactory
                trustManagerFactoryAlgorithm: "SunX509",
      
                # provider of the trust store
                trustStoreProvider: "fully.qualified.class.Name",
      
                # type of the trust store (default "JKS")
                trustStoreType: "JKS",
      
                # sets whether the local cipher suites preference should be honored.
                useCipherSuiteOrder: false,
      
                # true if SSL certificates have to be validated
                validateCerts: false,
      
                # true if SSL certificates of the peer have to be validated
                validatePeerCerts: false,
      
                # true if SSL wants client authentication.
                wantClientAuth: false
              }
            }
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ihuzenko Igor Guzenko
                Reporter:
                ihuzenko Igor Guzenko
                Reviewer:
                Vova Vysotskyi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: