Skip to content

HADOOP-19876. SSL protocol config is not applied to Jetty when set to default value#8465

Merged
jojochuang merged 2 commits intoapache:trunkfrom
dombizita:HADOOP-19876
May 5, 2026
Merged

HADOOP-19876. SSL protocol config is not applied to Jetty when set to default value#8465
jojochuang merged 2 commits intoapache:trunkfrom
dombizita:HADOOP-19876

Conversation

@dombizita
Copy link
Copy Markdown
Contributor

@dombizita dombizita commented Apr 30, 2026

Description of PR

In HttpServer2.setEnabledProtocols(), the logic that applies SSL protocol restrictions to the Jetty SslContextFactory is gated behind a check that compares the resolved configuration value against SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT ("TLSv1.2"). This means that Jetty is not respecting the configuration, the condition check should be removed.

How was this patch tested?

Tested the changes manually with openssl s_client -connect commands.

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

No AI tool was used.

If an AI tool was used:

@hadoop-yetus
Copy link
Copy Markdown

hadoop-yetus commented Apr 30, 2026

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 17m 45s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 42m 28s trunk passed
+1 💚 compile 16m 5s trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 compile 16m 34s trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 checkstyle 1m 31s trunk passed
+1 💚 mvnsite 1m 58s trunk passed
+1 💚 javadoc 1m 28s trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javadoc 1m 25s trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 spotbugs 3m 10s trunk passed
+1 💚 shadedclient 31m 2s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 1m 12s the patch passed
+1 💚 compile 15m 24s the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javac 15m 24s the patch passed
+1 💚 compile 16m 25s the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 javac 16m 25s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 1m 26s the patch passed
+1 💚 mvnsite 1m 59s the patch passed
+1 💚 javadoc 1m 27s the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javadoc 1m 26s the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 spotbugs 3m 18s the patch passed
+1 💚 shadedclient 31m 17s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 22m 55s /patch-unit-hadoop-common-project_hadoop-common.txt hadoop-common in the patch passed.
+1 💚 asflicense 1m 14s The patch does not generate ASF License warnings.
232m 45s
Reason Tests
Failed junit tests hadoop.http.TestSSLHttpServer
Subsystem Report/Notes
Docker ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8465/1/artifact/out/Dockerfile
GITHUB PR #8465
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname Linux 8e6e67036a2b 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 6b75a4d
Default Java Ubuntu-17.0.18+8-Ubuntu-124.04.1
Multi-JDK versions /usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8465/1/testReport/
Max. process+thread count 3152 (vs. ulimit of 10000)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8465/1/console
versions git=2.43.0 maven=3.9.11 spotbugs=4.9.7
Powered by Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

@ajfabbri
Copy link
Copy Markdown
Contributor

ajfabbri commented May 1, 2026

Thanks for the PR. Can we please add a unit/integration test for this? I think we at least need a sequence of commands that I could follow to test this patch--but it really should be automated to prevent regressions.

@K0K0V0K
Copy link
Copy Markdown
Contributor

K0K0V0K commented May 4, 2026

Thanks @dombizita for fixing this bug!

LGTM!

@dombizita
Copy link
Copy Markdown
Contributor Author

dombizita commented May 4, 2026

Thank you for the review @ajfabbri and @K0K0V0K! In the latest commit I fixed an already existing test that started failing, which reproduced the reported bug (TestSSLHttpServer.testIncludedProtocols); also added unit tests for other cases (not set setting/default/non-default value). Let me know what you think of this.

@dombizita
Copy link
Copy Markdown
Contributor Author

dombizita commented May 4, 2026

@jojochuang could you please also check this? As you worked on this before, thanks!

@hadoop-yetus
Copy link
Copy Markdown

hadoop-yetus commented May 4, 2026

🎊 +1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 53s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
+1 💚 test4tests 0m 0s The patch appears to include 2 new or modified test files.
_ trunk Compile Tests _
+1 💚 mvninstall 43m 23s trunk passed
+1 💚 compile 15m 45s trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 compile 16m 24s trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 checkstyle 1m 31s trunk passed
+1 💚 mvnsite 1m 58s trunk passed
+1 💚 javadoc 1m 32s trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javadoc 1m 26s trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 spotbugs 3m 6s trunk passed
+1 💚 shadedclient 30m 49s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 1m 15s the patch passed
+1 💚 compile 15m 12s the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javac 15m 12s the patch passed
+1 💚 compile 16m 29s the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 javac 16m 29s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 1m 28s the patch passed
+1 💚 mvnsite 1m 58s the patch passed
+1 💚 javadoc 1m 27s the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javadoc 1m 26s the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 spotbugs 3m 17s the patch passed
+1 💚 shadedclient 31m 10s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 23m 4s hadoop-common in the patch passed.
+1 💚 asflicense 1m 13s The patch does not generate ASF License warnings.
215m 57s
Subsystem Report/Notes
Docker ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8465/2/artifact/out/Dockerfile
GITHUB PR #8465
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname Linux 80cf40c177ea 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 8430e94
Default Java Ubuntu-17.0.18+8-Ubuntu-124.04.1
Multi-JDK versions /usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8465/2/testReport/
Max. process+thread count 1323 (vs. ulimit of 10000)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8465/2/console
versions git=2.43.0 maven=3.9.11 spotbugs=4.9.7
Powered by Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

@jojochuang jojochuang requested a review from Copilot May 5, 2026 03:45
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a bug in HttpServer2 where SSL enabled-protocol configuration was not applied to Jetty when the resolved value matched the default (SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT, currently TLSv1.2). By always applying the configured (or defaulted) protocol list, Jetty’s SslContextFactory consistently reflects the intended protocol restrictions.

Changes:

  • Always apply enabled-protocol configuration to Jetty’s SslContextFactory (remove the “only if non-default” gate).
  • Update SSL HTTP server functional test setup to include TLSv1.3 on Java 11+ (since the server will now strictly honor the configured protocol list).
  • Add focused unit tests verifying that the enabled-protocol configuration is applied even when unset or explicitly set to the default.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java Removes the conditional gate so SslContextFactory include/exclude protocol lists are always updated from config (including default).
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServer.java Adjusts test server protocol configuration to include TLSv1.3 on Java 11+ to align with stricter protocol enforcement.
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java Adds tests asserting Jetty’s SslContextFactory reflects enabled-protocol config for unset/default/explicit/default and non-default cases.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jojochuang
jojochuang approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jojochuang jojochuang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah looks good to me. I don't recall why I made it so convoluted even reading the comments in HADOOP-19876.

Incidentally, now that Hadoop defaults to JDK17, we should update SSLFfactory.SSL_ENABLED_PROTOCOLS_DEFAULT = "TLSv1.2,TLSv1.3"

(Jetty supports TLSv1.3 since JDK11)

@ajfabbri ajfabbri self-requested a review May 5, 2026 16:51
ajfabbri
ajfabbri approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ajfabbri ajfabbri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. Thanks for adding a test.

@jojochuang
Copy link
Copy Markdown
Contributor

jojochuang commented May 5, 2026

Opened https://issues.apache.org/jira/browse/HADOOP-19879 to add TLSv1.3 to the default supported protocols.

@jojochuang jojochuang merged commit 5e15377 into apache:trunk May 5, 2026
10 checks passed
@jojochuang
Copy link
Copy Markdown
Contributor

jojochuang commented May 5, 2026

Merged. Thanks @dombizita @ajfabbri @K0K0V0K

jojochuang pushed a commit that referenced this pull request May 5, 2026
@dombizita @jojochuang
HADOOP-19876. SSL protocol config is not applied to Jetty when set to…
c9705d1 
… default value (#8465)

(cherry picked from commit 5e15377)
jojochuang pushed a commit that referenced this pull request May 5, 2026
@dombizita @jojochuang
HADOOP-19876. SSL protocol config is not applied to Jetty when set to…
2617013 
… default value (#8465)

(cherry picked from commit 5e15377)
(cherry picked from commit c9705d1)

 Conflicts:
	hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestSSLHttpServerConfigs.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ajfabbri ajfabbri ajfabbri approved these changes

@jojochuang jojochuang jojochuang approved these changes

Assignees

No one assigned

Labels

Common trunk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dombizita @hadoop-yetus @ajfabbri @K0K0V0K @jojochuang