Skip to content

HDDS-10819. Respect ssl.server.include.cipher.list and ssl.enabled.protocols in HttpServer2#10111

Merged
adoroszlai merged 3 commits into
apache:masterfrom
fapifta:HDDS-10819
Apr 24, 2026
Merged

HDDS-10819. Respect ssl.server.include.cipher.list and ssl.enabled.protocols in HttpServer2#10111
adoroszlai merged 3 commits into
apache:masterfrom
fapifta:HDDS-10819

Conversation

@fapifta

@fapifta fapifta commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Add ssl.server.include.cipher.list and ssl.enabled.protocols to HttpServer2 setup.

Please describe your PR in detail:
Port TLS protocol version control and cipher suite inclusion support from Hadoop's HttpServer2 to Ozone's forked copy, aligning with upstream changes from HADOOP-15169 and HADOOP-19546. Currently, Ozone's web endpoints (OM, SCM, Datanode, S3Gateway, Recon, HttpFS, Freon) only support excluding cipher suites via ssl.server.exclude.cipher.list and have no mechanism to restrict TLS protocol versions — both features that Hadoop's HttpServer2 already provides. This change adds the includeCiphers builder field and method to HttpServer2, ports the setEnabledProtocols() method that honors the hadoop.ssl.enabled.protocols configuration key, wires the new ssl.server.include.cipher.list config through BaseHttpServer.loadSslConfToHttpServerBuilder(), and adds comprehensive SSL tests verifying that cipher exclusion/inclusion and protocol restrictions are actually enforced at the TLS handshake level — a test coverage gap that exists today. All required constants (SSLFactory.SSL_SERVER_INCLUDE_CIPHER_LIST, SSLFactory.SSL_ENABLED_PROTOCOLS_KEY) are already available in Ozone's existing Hadoop 3.4.3 dependency, so no version bump is needed.

The changeset is generated by Claude - Opus 4.6

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-10819

How was this patch tested?

JUnit tests are added.

…ols to HttpServer2 setup.

Generated-by: Claude - Opus 4.6

@adoroszlai adoroszlai left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @fapifta for the patch.

Comment on lines +390 to +391
.includeCiphers(
sslConf.get("ssl.server.include.cipher.list"));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add before .excludeCiphers to reduce change (due to moving around ;)

Also, I think these can use constants SSLFactory.SSL_SERVER_EXCLUDE_CIPHER_LIST and SSLFactory.SSL_SERVER_INCLUDE_CIPHER_LIST, since HttpServer2 already does.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have changed this method, reformatted the code and use SSLFactory constant for every string referenced there.

}
}
if (null != excludeCiphers && !excludeCiphers.isEmpty()) {
if (excludeCiphers != null && !excludeCiphers.isEmpty()) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: unnecessary change

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I respectfully disagree, this is the only condition which uses the yoda style, I think this is a better way as it conforms with the rest of the surrounding code.

Comment on lines +601 to +623
if (!enabledProtocols.equals(
SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)) {
String[] jettyExcludedProtocols =
sslContextFactory.getExcludeProtocols();
String[] enabledProtocolsArray =
StringUtils.getTrimmedStrings(enabledProtocols);
List<String> enabledProtocolsList =
Arrays.asList(enabledProtocolsArray);

List<String> resetExcludedProtocols = new ArrayList<>();
for (String jettyExcludedProtocol : jettyExcludedProtocols) {
if (!enabledProtocolsList.contains(jettyExcludedProtocol)) {
resetExcludedProtocols.add(jettyExcludedProtocol);
} else {
LOG.debug("Removed {} from exclude protocol list",
jettyExcludedProtocol);
}
}

sslContextFactory.setExcludeProtocols(
resetExcludedProtocols.toArray(new String[0]));
LOG.info("Reset exclude protocol list: {}",
resetExcludedProtocols);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: line wraps are unnecesary

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reformatted the code, and also rewritten the method based on the below suggestion to use removall

Comment on lines +610 to +618
List<String> resetExcludedProtocols = new ArrayList<>();
for (String jettyExcludedProtocol : jettyExcludedProtocols) {
if (!enabledProtocolsList.contains(jettyExcludedProtocol)) {
resetExcludedProtocols.add(jettyExcludedProtocol);
} else {
LOG.debug("Removed {} from exclude protocol list",
jettyExcludedProtocol);
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be simplified?

List<String> resetExcludedProtocols = new ArrayList<>(jettyExcludedProtocols);
resetExcludedProtocols.removeAll(enabledProtocolsList);

@adoroszlai adoroszlai changed the title HDDS-10819. Add ssl.server.include.cipher.list and ssl.enabled.protocols to HttpServer2 setup. HDDS-10819. Respect ssl.server.include.cipher.list and ssl.enabled.protocols in HttpServer2 Apr 23, 2026

@adoroszlai adoroszlai left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @fapifta for updating the patch.

@adoroszlai
adoroszlai requested a review from jojochuang April 23, 2026 15:08
With this change we have a separate property to define ozone ssl protocols, a fallback to
hadoop.ssl.enabled.protocols, and then to the Hadoop default which is TLSv1.2.
@fapifta

fapifta commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

After re-checking the PR, I realized that the original way introduces the new parameter for the enabled protocols as hadoop.ssl.enabled.protocols I added an extra configuration option in the last commit in order to have a configuration option called ozone.ssl.enabled.protocols which falls back to hadoop.ssl.enabled.protocols, which has a default set to TLSv1.2. This way we have a separate configuration for Ozone behaviour but still we can rely on the hadoop settings also as a fallback.

@fapifta
fapifta requested a review from adoroszlai April 23, 2026 16:26
@adoroszlai
adoroszlai merged commit d5ec23e into apache:master Apr 24, 2026
45 checks passed
@adoroszlai

Copy link
Copy Markdown
Contributor

Thanks @fapifta for the patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants