• Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.18.0
    • 1.18.0
    • None


      Purpose of the ticket is to add the following options for Jetty's SSL context factory under
      common options path drill.exec.http.jetty.server.sslContextFactory


          jetty: {
            server: {
              # Optional params to set on Jetty's org.eclipse.jetty.util.ssl.SslContextFactory 
              # when drill.exec.http.ssl_enabled
              sslContextFactory: {
                # allows to specify cert to use when multiple non-SNI certificates are available.
                certAlias: "certAlias",
                # path to file that contains Certificate Revocation List
                crlPath: "/etc/file.crl",
                # enable Certificate Revocation List Distribution Points Support
                enableCRLDP: false,
                # enable On-Line Certificate Status Protocol support
                enableOCSP: false,
                # when set to "HTTPS" hostname verification will be enabled
                endpointIdentificationAlgorithm: "HTTPS",
                # accepts exact cipher suite names and/or regular expressions.
                excludeCipherSuites: ["SSL_DHE_DSS_WITH_DES_CBC_SHA"],
                # list of TLS/SSL protocols to exclude
                excludeProtocols: ["TLSv1.1"],
                # accepts exact cipher suite names and/or regular expressions.
                includeCipherSuites: ["SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"],
                # list of TLS/SSL protocols to include
                includeProtocols: ["TLSv1.2", "TLSv1.3"],
                # the algorithm name (default "SunX509") used by 
                # the
                keyManagerFactoryAlgorithm: "SunX509",
                # classname of custom implementation
                keyStoreProvider: "fully.qualified.class.Name",
                # type of key store (default "JKS")
                keyStoreType: "JKS",
                # max number of intermediate certificates in sertificate chain
                maxCertPathLength: -1,
                # set true if ssl needs client authentication
                needClientAuth: false,
                # location of the OCSP Responder
                ocspResponderURL: "",
                # provider class name
                provider: "fully.qualified.class.Name",
                # whether TLS renegotiation is allowed
                renegotiationAllowed: false,
                # number of renegotions allowed for this connection (-1 for unlimited, default 5) .
                renegotiationLimit: 5,
                # algorithm name for instances.
                 secureRandomAlgorithm: "NativePRNG",
                # set the flag to enable SSL Session caching
                sessionCachingEnabled: false,
                # set if you want to bound session cache size
                sslSessionCacheSize: -1,
               # session timeout in seconds.
                sslSessionTimeout: -1,
              # the algorithm name (default "SunX509") used 
              # by the
                trustManagerFactoryAlgorithm: "SunX509",
                # provider of the trust store
                trustStoreProvider: "fully.qualified.class.Name",
                # type of the trust store (default "JKS")
                trustStoreType: "JKS",
                # sets whether the local cipher suites preference should be honored.
                useCipherSuiteOrder: false,
                # true if SSL certificates have to be validated
                validateCerts: false,
                # true if SSL certificates of the peer have to be validated
                validatePeerCerts: false,
                # true if SSL wants client authentication.
                wantClientAuth: false


        Issue Links



              ihuzenko Igor Guzenko
              ihuzenko Igor Guzenko
              Vova Vysotskyi Vova Vysotskyi
              0 Vote for this issue
              3 Start watching this issue