Allow separate truststore conf for HttpEmitter#5298
Merged
himanshug merged 2 commits intoapache:masterfrom Jan 26, 2018
Merged
Conversation
himanshug
reviewed
Jan 25, 2018
| return effectiveSSLContext; | ||
| } | ||
|
|
||
| public static SSLContext getSSLContextFromConfig(HttpEmitterSSLClientConfig config) |
Contributor
There was a problem hiding this comment.
looks pretty much same as SSLContextProvider.get(). Can we refactor the code a bit and create a static method in SSLContextProvider that could be used here ?
Contributor
Author
There was a problem hiding this comment.
I moved this block to a utility class, SSLContextProvider is in an extension
pjain1
approved these changes
Jan 26, 2018
jon-wei
added a commit
to implydata/druid-public
that referenced
this pull request
Jan 26, 2018
* Fix HttpEmitter TLS support, allow separate truststore conf * PR comment, fix tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR allows the HttpEmitter and ParametrizedUriEmitter to use a different SSLContext from the one injected by the logic introduced in #4270.
The HttpEmitter can use the default Java SSLContext or a truststore specified through configuration.
This can be useful in situations where it's inconvenient or forbidden by policy to keep all certificates in the same truststore.
For example, suppose the server certificate used by Druid nodes for internal communications is signed by a root cert that is not present in the default Java truststore, but the metrics receiver uses a certificate signed by a major CA, which is present in the default Java truststore, and the user wishes to keep the non-major CA signed cert in a separate truststore.