From b6e4a9633c39d611e6037125ee76991312c95ad5 Mon Sep 17 00:00:00 2001
From: Hasnain Lakhani <hasnain.lakhani@databricks.com>
Date: Thu, 24 Aug 2023 16:18:39 -0700
Subject: [PATCH 1/3] working

---
 common/network-common/pom.xml                 |  34 +-
 .../spark/network/TransportContext.java       |  76 ++-
 .../buffer/FileSegmentManagedBuffer.java      |   7 +
 .../spark/network/buffer/ManagedBuffer.java   |  11 +
 .../network/buffer/NettyManagedBuffer.java    |   5 +
 .../network/buffer/NioManagedBuffer.java      |   5 +
 .../spark/network/client/TransportClient.java |   5 +-
 .../client/TransportClientFactory.java        |  26 +-
 .../protocol/EncryptedMessageWithHeader.java  | 131 +++++
 .../network/protocol/SslMessageEncoder.java   | 108 ++++
 .../server/TransportChannelHandler.java       |   4 +
 .../spark/network/server/TransportServer.java |   2 +-
 .../ssl/ReloadingX509TrustManager.java        | 201 +++++++
 .../apache/spark/network/ssl/SSLFactory.java  | 503 ++++++++++++++++++
 .../spark/network/util/NettyLogger.java       |  11 +
 .../spark/network/util/TransportConf.java     | 163 ++++++
 .../src/test/java/TransportConfSuite.java     |  91 ++++
 .../SslChunkFetchIntegrationSuite.java        | 104 ++++
 .../spark/network/TestManagedBuffer.java      |   5 +
 .../SslTransportClientFactorySuite.java       |  39 ++
 .../client/TransportClientFactorySuite.java   |   8 +-
 .../EncryptedMessageWithHeaderSuite.java      | 144 +++++
 .../ssl/ReloadingX509TrustManagerSuite.java   | 197 +++++++
 .../spark/network/ssl/SslSampleConfigs.java   | 235 ++++++++
 .../src/test/resources/certchain.pem          |  17 +
 .../network-common/src/test/resources/key.pem |  29 +
 .../src/test/resources/keystore               | Bin 0 -> 2247 bytes
 .../src/test/resources/truststore             | Bin 0 -> 957 bytes
 .../src/test/resources/untrusted-keystore     | Bin 0 -> 2246 bytes
 .../shuffle/ShuffleTransportContext.java      |  12 +-
 .../ExternalShuffleIntegrationSuite.java      |  28 +-
 .../shuffle/ExternalShuffleSecuritySuite.java |  14 +-
 .../shuffle/ShuffleTransportContextSuite.java |  43 +-
 .../SslExternalShuffleIntegrationSuite.java   |  95 ++++
 .../SslExternalShuffleSecuritySuite.java      |  45 ++
 .../SslShuffleTransportContextSuite.java      |  38 ++
 .../src/test/resources/certchain.pem          |  17 +
 .../src/test/resources/key.pem                |  29 +
 .../src/test/resources/keystore               | Bin 0 -> 2247 bytes
 .../src/test/resources/truststore             | Bin 0 -> 957 bytes
 .../src/test/resources/untrusted-keystore     | Bin 0 -> 2246 bytes
 core/pom.xml                                  |   7 +
 .../scala/org/apache/spark/SSLOptions.scala   | 132 ++++-
 .../org/apache/spark/SecurityManager.scala    |  67 ++-
 .../scala/org/apache/spark/SparkConf.scala    |   4 +-
 .../scala/org/apache/spark/SparkEnv.scala     |   7 +-
 .../spark/deploy/ExternalShuffleService.scala |   6 +-
 .../spark/deploy/worker/CommandUtils.scala    |  13 +-
 .../CoarseGrainedExecutorBackend.scala        |   4 +-
 .../netty/NettyBlockTransferService.scala     |   6 +-
 .../network/netty/SparkTransportConf.scala    |  32 +-
 .../apache/spark/rpc/netty/NettyRpcEnv.scala  |  12 +-
 .../shuffle/IndexShuffleBlockResolver.scala   |   8 +-
 .../spark/shuffle/ShuffleBlockPusher.scala    |   6 +-
 .../apache/spark/storage/BlockManager.scala   |  12 +-
 .../storage/BlockManagerManagedBuffer.scala   |   2 +
 .../org/apache/spark/storage/DiskStore.scala  |  13 +
 .../spark/util/io/ChunkedByteBuffer.scala     |  20 +
 core/src/test/resources/certchain.pem         |  17 +
 core/src/test/resources/key.pem               |  29 +
 .../spark/ExternalShuffleServiceSuite.scala   |   8 +-
 .../org/apache/spark/SSLOptionsSuite.scala    | 127 +++++
 .../org/apache/spark/SparkConfSuite.scala     |   6 +-
 .../SslExternalShuffleServiceSuite.scala      |  55 ++
 .../apache/spark/SslShuffleNettySuite.scala   |  28 +
 .../deploy/worker/CommandUtilsSuite.scala     |  29 +-
 .../CoarseGrainedExecutorBackendSuite.scala   |  44 +-
 .../network/BlockTransferServiceSuite.scala   |   2 +
 .../NettyBlockTransferSecuritySuite.scala     |  83 +++
 .../org/apache/spark/rpc/RpcEnvSuite.scala    |  52 +-
 .../spark/rpc/netty/NettyRpcEnvSuite.scala    |  16 +-
 .../BlockStoreShuffleReaderSuite.scala        |   1 +
 .../shuffle/ShuffleBlockPusherSuite.scala     |  16 +-
 .../sort/IndexShuffleBlockResolverSuite.scala |  16 +-
 .../BlockManagerReplicationSuite.scala        |  40 +-
 .../SslBlockManagerReplicationSuite.scala     |  49 ++
 dev/deps/spark-deps-hadoop-3-hive-2.3         |   6 +
 docs/security.md                              |  91 +++-
 pom.xml                                       |  25 +
 resource-managers/mesos/pom.xml               |   7 +
 .../MesosCoarseGrainedSchedulerBackend.scala  |   3 +-
 .../mesos/src/test/resources/certchain.pem    |  17 +
 .../mesos/src/test/resources/key.pem          |  29 +
 .../mesos/src/test/resources/keystore         | Bin 0 -> 2247 bytes
 .../mesos/src/test/resources/truststore       | Bin 0 -> 957 bytes
 .../src/test/resources/untrusted-keystore     | Bin 0 -> 2246 bytes
 ...osCoarseGrainedSchedulerBackendSuite.scala |  15 +-
 resource-managers/yarn/pom.xml                |   7 +
 .../yarn/src/test/resources/certchain.pem     |  17 +
 .../yarn/src/test/resources/key.pem           |  29 +
 .../yarn/src/test/resources/keystore          | Bin 0 -> 2247 bytes
 .../yarn/src/test/resources/truststore        | Bin 0 -> 957 bytes
 .../src/test/resources/untrusted-keystore     | Bin 0 -> 2246 bytes
 .../yarn/SslYarnShuffleServiceSuite.scala     |  33 ++
 94 files changed, 3577 insertions(+), 153 deletions(-)
 create mode 100644 common/network-common/src/main/java/org/apache/spark/network/protocol/EncryptedMessageWithHeader.java
 create mode 100644 common/network-common/src/main/java/org/apache/spark/network/protocol/SslMessageEncoder.java
 create mode 100644 common/network-common/src/main/java/org/apache/spark/network/ssl/ReloadingX509TrustManager.java
 create mode 100644 common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
 create mode 100644 common/network-common/src/test/java/TransportConfSuite.java
 create mode 100644 common/network-common/src/test/java/org/apache/spark/network/SslChunkFetchIntegrationSuite.java
 create mode 100644 common/network-common/src/test/java/org/apache/spark/network/client/SslTransportClientFactorySuite.java
 create mode 100644 common/network-common/src/test/java/org/apache/spark/network/protocol/EncryptedMessageWithHeaderSuite.java
 create mode 100644 common/network-common/src/test/java/org/apache/spark/network/ssl/ReloadingX509TrustManagerSuite.java
 create mode 100644 common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java
 create mode 100644 common/network-common/src/test/resources/certchain.pem
 create mode 100644 common/network-common/src/test/resources/key.pem
 create mode 100644 common/network-common/src/test/resources/keystore
 create mode 100644 common/network-common/src/test/resources/truststore
 create mode 100644 common/network-common/src/test/resources/untrusted-keystore
 create mode 100644 common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleIntegrationSuite.java
 create mode 100644 common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleSecuritySuite.java
 create mode 100644 common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslShuffleTransportContextSuite.java
 create mode 100644 common/network-shuffle/src/test/resources/certchain.pem
 create mode 100644 common/network-shuffle/src/test/resources/key.pem
 create mode 100644 common/network-shuffle/src/test/resources/keystore
 create mode 100644 common/network-shuffle/src/test/resources/truststore
 create mode 100644 common/network-shuffle/src/test/resources/untrusted-keystore
 create mode 100644 core/src/test/resources/certchain.pem
 create mode 100644 core/src/test/resources/key.pem
 create mode 100644 core/src/test/scala/org/apache/spark/SslExternalShuffleServiceSuite.scala
 create mode 100644 core/src/test/scala/org/apache/spark/SslShuffleNettySuite.scala
 create mode 100644 core/src/test/scala/org/apache/spark/storage/SslBlockManagerReplicationSuite.scala
 create mode 100644 resource-managers/mesos/src/test/resources/certchain.pem
 create mode 100644 resource-managers/mesos/src/test/resources/key.pem
 create mode 100644 resource-managers/mesos/src/test/resources/keystore
 create mode 100644 resource-managers/mesos/src/test/resources/truststore
 create mode 100644 resource-managers/mesos/src/test/resources/untrusted-keystore
 create mode 100644 resource-managers/yarn/src/test/resources/certchain.pem
 create mode 100644 resource-managers/yarn/src/test/resources/key.pem
 create mode 100644 resource-managers/yarn/src/test/resources/keystore
 create mode 100644 resource-managers/yarn/src/test/resources/truststore
 create mode 100644 resource-managers/yarn/src/test/resources/untrusted-keystore
 create mode 100644 resource-managers/yarn/src/test/scala/org/apache/spark/network/yarn/SslYarnShuffleServiceSuite.scala

diff --git a/common/network-common/pom.xml b/common/network-common/pom.xml
index 1823edbe0f53d..867cae5af9886 100644
--- a/common/network-common/pom.xml
+++ b/common/network-common/pom.xml
@@ -67,6 +67,26 @@
       <artifactId>netty-transport-native-kqueue</artifactId>
       <classifier>osx-x86_64</classifier>
     </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <classifier>linux-x86_64</classifier>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <classifier>linux-aarch_64</classifier>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <classifier>osx-aarch_64</classifier>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <classifier>osx-x86_64</classifier>
+    </dependency>
     <!-- Netty End -->
 
     <dependency>
@@ -147,12 +167,24 @@
       <artifactId>log4j-slf4j2-impl</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>${bouncycastle.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>${bouncycastle.version}</version>
+      <scope>test</scope>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.spark</groupId>
       <artifactId>spark-common-utils_${scala.binary.version}</artifactId>
       <version>${project.version}</version>
-   </dependency>
+    </dependency>
 
     <!--
       This spark-tags test-dep is needed even though it isn't used in this module, otherwise testing-cmds that exclude
diff --git a/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java b/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java
index 51d074a4ddbb5..696061c08cc20 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java
@@ -23,13 +23,17 @@
 import java.io.Closeable;
 import java.util.ArrayList;
 import java.util.List;
+import javax.annotation.Nullable;
 
 import com.codahale.metrics.Counter;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelPipeline;
 import io.netty.channel.EventLoopGroup;
 import io.netty.channel.socket.SocketChannel;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.stream.ChunkedWriteHandler;
 import io.netty.handler.timeout.IdleStateHandler;
+import io.netty.handler.codec.MessageToMessageEncoder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -37,6 +41,8 @@
 import org.apache.spark.network.client.TransportClientBootstrap;
 import org.apache.spark.network.client.TransportClientFactory;
 import org.apache.spark.network.client.TransportResponseHandler;
+import org.apache.spark.network.protocol.Message;
+import org.apache.spark.network.protocol.SslMessageEncoder;
 import org.apache.spark.network.protocol.MessageDecoder;
 import org.apache.spark.network.protocol.MessageEncoder;
 import org.apache.spark.network.server.ChunkFetchRequestHandler;
@@ -45,6 +51,7 @@
 import org.apache.spark.network.server.TransportRequestHandler;
 import org.apache.spark.network.server.TransportServer;
 import org.apache.spark.network.server.TransportServerBootstrap;
+import org.apache.spark.network.ssl.SSLFactory;
 import org.apache.spark.network.util.IOMode;
 import org.apache.spark.network.util.NettyUtils;
 import org.apache.spark.network.util.NettyLogger;
@@ -72,6 +79,8 @@ public class TransportContext implements Closeable {
   private final TransportConf conf;
   private final RpcHandler rpcHandler;
   private final boolean closeIdleConnections;
+  // Non-null if SSL is enabled, null otherwise.
+  @Nullable private final SSLFactory sslFactory;
   // Number of registered connections to the shuffle service
   private Counter registeredConnections = new Counter();
 
@@ -87,7 +96,8 @@ public class TransportContext implements Closeable {
    * RPC to load it and cause to load the non-exist matcher class again. JVM will report
    * `ClassCircularityError` to prevent such infinite recursion. (See SPARK-17714)
    */
-  private static final MessageEncoder ENCODER = MessageEncoder.INSTANCE;
+  private static final MessageToMessageEncoder<Message> ENCODER = MessageEncoder.INSTANCE;
+  private static final MessageToMessageEncoder<Message> SSL_ENCODER = SslMessageEncoder.INSTANCE;
   private static final MessageDecoder DECODER = MessageDecoder.INSTANCE;
 
   // Separate thread pool for handling ChunkFetchRequest. This helps to enable throttling
@@ -125,6 +135,7 @@ public TransportContext(
     this.conf = conf;
     this.rpcHandler = rpcHandler;
     this.closeIdleConnections = closeIdleConnections;
+    this.sslFactory = createSslFactory();
 
     if (conf.getModuleName() != null &&
         conf.getModuleName().equalsIgnoreCase("shuffle") &&
@@ -171,8 +182,12 @@ public TransportServer createServer() {
     return createServer(0, new ArrayList<>());
   }
 
-  public TransportChannelHandler initializePipeline(SocketChannel channel) {
-    return initializePipeline(channel, rpcHandler);
+  public TransportChannelHandler initializePipeline(SocketChannel channel, boolean isClient) {
+    return initializePipeline(channel, rpcHandler, isClient);
+  }
+
+  public boolean sslEncryptionEnabled() {
+    return this.sslFactory != null;
   }
 
   /**
@@ -189,15 +204,32 @@ public TransportChannelHandler initializePipeline(SocketChannel channel) {
    */
   public TransportChannelHandler initializePipeline(
       SocketChannel channel,
-      RpcHandler channelRpcHandler) {
+      RpcHandler channelRpcHandler,
+      boolean isClient) {
     try {
       TransportChannelHandler channelHandler = createChannelHandler(channel, channelRpcHandler);
       ChannelPipeline pipeline = channel.pipeline();
+
       if (nettyLogger.getLoggingHandler() != null) {
         pipeline.addLast("loggingHandler", nettyLogger.getLoggingHandler());
       }
+
+      if (sslEncryptionEnabled()) {
+        SslHandler sslHandler;
+        try {
+          sslHandler = new SslHandler(
+            sslFactory.createSSLEngine(isClient, pipeline.channel().alloc()));
+        } catch (Exception e) {
+          throw new RuntimeException("Error creating Netty SslHandler", e);
+        }
+        pipeline.addFirst("NettySslEncryptionHandler", sslHandler);
+        // Cannot use zero-copy with HTTPS, so we add in our ChunkedWriteHandler just before the
+        // MessageEncoder
+        pipeline.addLast("chunkedWriter", new ChunkedWriteHandler());
+      }
+
       pipeline
-        .addLast("encoder", ENCODER)
+        .addLast("encoder", sslEncryptionEnabled()? SSL_ENCODER : ENCODER)
         .addLast(TransportFrameDecoder.HANDLER_NAME, NettyUtils.createFrameDecoder())
         .addLast("decoder", getDecoder())
         .addLast("idleStateHandler",
@@ -223,6 +255,37 @@ protected MessageToMessageDecoder<ByteBuf> getDecoder() {
     return DECODER;
   }
 
+  private SSLFactory createSslFactory() {
+    if (conf.sslRpcEnabled()) {
+      if (conf.sslRpcEnabledAndKeysAreValid()) {
+        return new SSLFactory.Builder()
+          .openSslEnabled(conf.sslRpcOpenSslEnabled())
+          .requestedProtocol(conf.sslRpcProtocol())
+          .requestedCiphers(conf.sslRpcRequestedCiphers())
+          .keyStore(conf.sslRpcKeyStore(), conf.sslRpcKeyStorePassword())
+          .privateKey(conf.sslRpcPrivateKey())
+          .keyPassword(conf.sslRpcKeyPassword())
+          .certChain(conf.sslRpcCertChain())
+          .trustStore(
+            conf.sslRpcTrustStore(),
+            conf.sslRpcTrustStorePassword(),
+            conf.sslRpcTrustStoreReloadingEnabled(),
+            conf.sslRpcTrustStoreReloadInterval())
+          .build();
+      } else {
+        if (conf.sslRpcDangerouslyFallbackIfKeysNotPresent()) {
+          logger.warn("SSL keys not found. Dangerously falling back to unencrypted connections");
+          return null;
+        } else {
+          logger.error("RPC SSL encryption enabled but keys not found!");
+          throw new RuntimeException("RPC SSL encryption enabled but keys not found!");
+        }
+      }
+    } else {
+      return null;
+    }
+  }
+
   /**
    * Creates the server- and client-side handler which is used to handle both RequestMessages and
    * ResponseMessages. The channel is expected to have been successfully created, though certain
@@ -255,5 +318,8 @@ public void close() {
     if (chunkFetchWorkers != null) {
       chunkFetchWorkers.shutdownGracefully();
     }
+    if (sslFactory != null) {
+      sslFactory.destroy();
+    }
   }
 }
diff --git a/common/network-common/src/main/java/org/apache/spark/network/buffer/FileSegmentManagedBuffer.java b/common/network-common/src/main/java/org/apache/spark/network/buffer/FileSegmentManagedBuffer.java
index 66566b67870f3..dd7c2061ec95b 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/buffer/FileSegmentManagedBuffer.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/buffer/FileSegmentManagedBuffer.java
@@ -28,6 +28,7 @@
 
 import com.google.common.io.ByteStreams;
 import io.netty.channel.DefaultFileRegion;
+import io.netty.handler.stream.ChunkedStream;
 import org.apache.commons.lang3.builder.ToStringBuilder;
 import org.apache.commons.lang3.builder.ToStringStyle;
 
@@ -137,6 +138,12 @@ public Object convertToNetty() throws IOException {
     }
   }
 
+  @Override
+  public Object convertToNettyForSsl() throws IOException {
+    // Cannot use zero-copy with HTTPS
+    return new ChunkedStream(createInputStream(), conf.sslShuffleChunkSize());
+  }
+
   public File getFile() { return file; }
 
   public long getOffset() { return offset; }
diff --git a/common/network-common/src/main/java/org/apache/spark/network/buffer/ManagedBuffer.java b/common/network-common/src/main/java/org/apache/spark/network/buffer/ManagedBuffer.java
index 4dd8cec2900c6..b5e6b4d06b149 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/buffer/ManagedBuffer.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/buffer/ManagedBuffer.java
@@ -75,4 +75,15 @@ public abstract class ManagedBuffer {
    * the caller will be responsible for releasing this new reference.
    */
   public abstract Object convertToNetty() throws IOException;
+
+  /**
+   * Convert the buffer into a Netty object, used to write the data out with SSL encryption,
+   * which cannot use {@link io.netty.channel.FileRegion}.
+   * The return value is either a {@link io.netty.buffer.ByteBuf},
+   * a {@link io.netty.handler.stream.ChunkedStream}, or a {@link java.io.InputStream}.
+   *
+   * If this method returns a ByteBuf, then that buffer's reference count will be incremented and
+   * the caller will be responsible for releasing this new reference.
+   */
+  public abstract Object convertToNettyForSsl() throws IOException;
 }
diff --git a/common/network-common/src/main/java/org/apache/spark/network/buffer/NettyManagedBuffer.java b/common/network-common/src/main/java/org/apache/spark/network/buffer/NettyManagedBuffer.java
index b42977c7cb7f6..a40cfc8bc04b1 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/buffer/NettyManagedBuffer.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/buffer/NettyManagedBuffer.java
@@ -68,6 +68,11 @@ public Object convertToNetty() throws IOException {
     return buf.duplicate().retain();
   }
 
+  @Override
+  public Object convertToNettyForSsl() throws IOException {
+    return buf.duplicate().retain();
+  }
+
   @Override
   public String toString() {
     return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
diff --git a/common/network-common/src/main/java/org/apache/spark/network/buffer/NioManagedBuffer.java b/common/network-common/src/main/java/org/apache/spark/network/buffer/NioManagedBuffer.java
index 084f89d2611cf..6eb8d4e2c731c 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/buffer/NioManagedBuffer.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/buffer/NioManagedBuffer.java
@@ -66,6 +66,11 @@ public Object convertToNetty() throws IOException {
     return Unpooled.wrappedBuffer(buf);
   }
 
+  @Override
+  public Object convertToNettyForSsl() throws IOException {
+    return Unpooled.wrappedBuffer(buf);
+  }
+
   @Override
   public String toString() {
     return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
diff --git a/common/network-common/src/main/java/org/apache/spark/network/client/TransportClient.java b/common/network-common/src/main/java/org/apache/spark/network/client/TransportClient.java
index 4a0a156699852..40825e06b82fd 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/client/TransportClient.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/client/TransportClient.java
@@ -325,7 +325,10 @@ public TransportResponseHandler getHandler() {
 
   @Override
   public void close() {
-    // close is a local operation and should finish with milliseconds; timeout just to be safe
+    // Mark the connection as timed out, so we do not return a connection that's being closed
+    // from the TransportClientFactory if closing takes some time (e.g. with SSL)
+    this.timedOut = true;
+    // close should not take this long; use a timeout just to be safe
     channel.close().awaitUninterruptibly(10, TimeUnit.SECONDS);
   }
 
diff --git a/common/network-common/src/main/java/org/apache/spark/network/client/TransportClientFactory.java b/common/network-common/src/main/java/org/apache/spark/network/client/TransportClientFactory.java
index 4c1efd69206c5..0c6eb91c02847 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/client/TransportClientFactory.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/client/TransportClientFactory.java
@@ -39,6 +39,9 @@
 import io.netty.channel.ChannelOption;
 import io.netty.channel.EventLoopGroup;
 import io.netty.channel.socket.SocketChannel;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.util.concurrent.Future;
+import io.netty.util.concurrent.GenericFutureListener;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -268,7 +271,7 @@ TransportClient createClient(InetSocketAddress address)
     bootstrap.handler(new ChannelInitializer<SocketChannel>() {
       @Override
       public void initChannel(SocketChannel ch) {
-        TransportChannelHandler clientHandler = context.initializePipeline(ch);
+        TransportChannelHandler clientHandler = context.initializePipeline(ch, true);
         clientRef.set(clientHandler.getClient());
         channelRef.set(ch);
       }
@@ -293,6 +296,26 @@ public void initChannel(SocketChannel ch) {
     } else if (cf.cause() != null) {
       throw new IOException(String.format("Failed to connect to %s", address), cf.cause());
     }
+    if (context.sslEncryptionEnabled()) {
+      final SslHandler sslHandler = cf.channel().pipeline().get(SslHandler.class);
+      Future<Channel> future = sslHandler.handshakeFuture().addListener(
+        new GenericFutureListener<Future<Channel>>() {
+          @Override
+          public void operationComplete(final Future<Channel> handshakeFuture) {
+            if (handshakeFuture.isSuccess()) {
+              logger.debug("{} successfully completed TLS handshake to ", address);
+            } else {
+              if (logger.isDebugEnabled()) {
+                logger.debug(
+                  "failed to complete TLS handshake to " + address,
+                  handshakeFuture.cause());
+              }
+              cf.channel().close();
+            }
+          }
+      });
+      future.await(conf.connectionTimeoutMs());
+    }
 
     TransportClient client = clientRef.get();
     Channel channel = channelRef.get();
@@ -337,5 +360,6 @@ public void close() {
     if (workerGroup != null && !workerGroup.isShuttingDown()) {
       workerGroup.shutdownGracefully();
     }
+
   }
 }
diff --git a/common/network-common/src/main/java/org/apache/spark/network/protocol/EncryptedMessageWithHeader.java b/common/network-common/src/main/java/org/apache/spark/network/protocol/EncryptedMessageWithHeader.java
new file mode 100644
index 0000000000000..2836644d16549
--- /dev/null
+++ b/common/network-common/src/main/java/org/apache/spark/network/protocol/EncryptedMessageWithHeader.java
@@ -0,0 +1,131 @@
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network.protocol;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.stream.ChunkedStream;
+import io.netty.handler.stream.ChunkedInput;
+
+import com.google.common.base.Preconditions;
+import org.apache.spark.network.buffer.ManagedBuffer;
+
+import javax.annotation.Nullable;
+import java.io.InputStream;
+
+/**
+ * A wrapper message that holds two separate pieces (a header and a body).
+ *
+ * The header must be a ByteBuf, while the body can be any InputStream
+ */
+public class EncryptedMessageWithHeader implements ChunkedInput<ByteBuf> {
+
+  @Nullable private final ManagedBuffer managedBuffer;
+  private final ByteBuf header;
+  private final int headerLength;
+  private final Object body;
+  private final long bodyLength;
+  private long totalBytesTransferred;
+
+  /**
+   * Construct a new EncryptedMessageWithHeader.
+   *
+   * @param managedBuffer the {@link ManagedBuffer} that the message body came from. This needs to
+   *                      be passed in so that the buffer can be freed when this message is
+   *                      deallocated. Ownership of the caller's reference to this buffer is
+   *                      transferred to this class, so if the caller wants to continue to use the
+   *                      ManagedBuffer in other messages then they will need to call retain() on
+   *                      it before passing it to this constructor.
+   * @param header the message header.
+   * @param body the message body.
+   * @param bodyLength the length of the message body, in bytes.
+   */
+
+  public EncryptedMessageWithHeader(
+      @Nullable ManagedBuffer managedBuffer, ByteBuf header, Object body, long bodyLength) {
+    Preconditions.checkArgument(body instanceof InputStream || body instanceof ChunkedStream,
+      "Body must be an InputStream or a ChunkedStream.");
+    this.managedBuffer = managedBuffer;
+    this.header = header;
+    this.headerLength = header.readableBytes();
+    this.body = body;
+    this.bodyLength = bodyLength;
+    this.totalBytesTransferred = 0;
+  }
+
+  @Override
+  public ByteBuf readChunk(ChannelHandlerContext ctx) throws Exception {
+    return readChunk(ctx.alloc());
+  }
+
+  @Override
+  public ByteBuf readChunk(ByteBufAllocator allocator) throws Exception {
+    if (isEndOfInput()) {
+      return null;
+    }
+
+    if (totalBytesTransferred < headerLength) {
+      totalBytesTransferred += headerLength;
+      return header.retain();
+    } else if (body instanceof InputStream) {
+      InputStream stream = (InputStream) body;
+      int available = stream.available();
+      ByteBuf buffer = allocator.buffer(available);
+      int toRead = Math.min(available, buffer.writableBytes());
+      int read = buffer.writeBytes(stream, toRead);
+      totalBytesTransferred += read;
+      return buffer;
+    } else if (body instanceof ChunkedStream) {
+      ChunkedStream stream = (ChunkedStream) body;
+      long old = stream.transferredBytes();
+      ByteBuf buffer = stream.readChunk(allocator);
+      totalBytesTransferred += (stream.transferredBytes() - old);
+      return buffer;
+    } else {
+      return null;
+    }
+  }
+
+  @Override
+  public long length() {
+    return headerLength + bodyLength;
+  }
+
+  @Override
+  public long progress() {
+    return totalBytesTransferred;
+  }
+  @Override
+  public boolean isEndOfInput() throws Exception {
+    return (headerLength + bodyLength) == totalBytesTransferred;
+  }
+
+  @Override
+  public void close() throws Exception {
+    header.release();
+    if (managedBuffer != null) {
+      managedBuffer.release();
+    }
+    if (body instanceof InputStream) {
+      ((InputStream) body).close();
+    } else if (body instanceof ChunkedStream) {
+      ((ChunkedStream) body).close();
+    }
+  }
+}
diff --git a/common/network-common/src/main/java/org/apache/spark/network/protocol/SslMessageEncoder.java b/common/network-common/src/main/java/org/apache/spark/network/protocol/SslMessageEncoder.java
new file mode 100644
index 0000000000000..0d0195161d0e3
--- /dev/null
+++ b/common/network-common/src/main/java/org/apache/spark/network/protocol/SslMessageEncoder.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network.protocol;
+
+import java.io.InputStream;
+import java.util.List;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.Unpooled;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.MessageToMessageEncoder;
+import io.netty.handler.stream.ChunkedStream;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Encoder used by the server side to encode secure (SSL) server-to-client responses.
+ * This encoder is stateless so it is safe to be shared by multiple threads.
+ */
+@ChannelHandler.Sharable
+public final class SslMessageEncoder extends MessageToMessageEncoder<Message> {
+
+  private final Logger logger = LoggerFactory.getLogger(SslMessageEncoder.class);
+
+  private SslMessageEncoder() {}
+
+  public static final SslMessageEncoder INSTANCE = new SslMessageEncoder();
+
+  /**
+   * Encodes a Message by invoking its encode() method. For non-data messages, we will add one
+   * ByteBuf to 'out' containing the total frame length, the message type, and the message itself.
+   * In the case of a ChunkFetchSuccess, we will also add the ManagedBuffer corresponding to the
+   * data to 'out'.
+   */
+  @Override
+  public void encode(ChannelHandlerContext ctx, Message in, List<Object> out) throws Exception {
+    Object body = null;
+    long bodyLength = 0;
+    boolean isBodyInFrame = false;
+
+    // If the message has a body, take it out...
+    // For SSL, zero-copy transfer will not work, so we will check if
+    // the body is a ChunkedFile, and if so, use a ChunkedFileWithHeader
+    // to wrap the header+body appropriately (for thread safety).
+    if (in.body() != null) {
+      try {
+        bodyLength = in.body().size();
+        body = in.body().convertToNettyForSsl();
+        isBodyInFrame = in.isBodyInFrame();
+      } catch (Exception e) {
+        in.body().release();
+        if (in instanceof AbstractResponseMessage) {
+          AbstractResponseMessage resp = (AbstractResponseMessage) in;
+          // Re-encode this message as a failure response.
+          String error = e.getMessage() != null ? e.getMessage() : "null";
+          logger.error(String.format("Error processing %s for client %s",
+                  in, ctx.channel().remoteAddress()), e);
+          encode(ctx, resp.createFailureResponse(error), out);
+        } else {
+          throw e;
+        }
+        return;
+      }
+    }
+
+    Message.Type msgType = in.type();
+    // All messages have the frame length, message type, and message itself. The frame length
+    // may optionally include the length of the body data, depending on what message is being
+    // sent.
+    int headerLength = 8 + msgType.encodedLength() + in.encodedLength();
+    long frameLength = headerLength + (isBodyInFrame ? bodyLength : 0);
+    ByteBuf header = ctx.alloc().buffer(headerLength);
+    header.writeLong(frameLength);
+    msgType.encode(header);
+    in.encode(header);
+    assert header.writableBytes() == 0;
+
+    if (body != null && bodyLength > 0) {
+      if (body instanceof ByteBuf) {
+        out.add(Unpooled.wrappedBuffer(header, (ByteBuf) body));
+      } else if (body instanceof InputStream || body instanceof ChunkedStream) {
+        // For now, assume the InputStream is doing proper chunking.
+        out.add(new EncryptedMessageWithHeader(in.body(), header, body, bodyLength));
+      } else {
+        throw new IllegalArgumentException(
+          "Body must be a ByteBuf, ChunkedStream or an InputStream");
+      }
+    } else {
+      out.add(header);
+    }
+  }
+}
diff --git a/common/network-common/src/main/java/org/apache/spark/network/server/TransportChannelHandler.java b/common/network-common/src/main/java/org/apache/spark/network/server/TransportChannelHandler.java
index f55ca2204cdb4..d6ade1c776407 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/server/TransportChannelHandler.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/server/TransportChannelHandler.java
@@ -200,4 +200,8 @@ public void channelUnregistered(ChannelHandlerContext ctx) throws Exception {
     super.channelUnregistered(ctx);
   }
 
+  public int getSslShuffleChunkSize() {
+    return transportContext.getConf().sslShuffleChunkSize();
+  }
+
 }
diff --git a/common/network-common/src/main/java/org/apache/spark/network/server/TransportServer.java b/common/network-common/src/main/java/org/apache/spark/network/server/TransportServer.java
index 5b5b3f9d901f0..6f2e4b8a502a2 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/server/TransportServer.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/server/TransportServer.java
@@ -140,7 +140,7 @@ protected void initChannel(SocketChannel ch) {
         for (TransportServerBootstrap bootstrap : bootstraps) {
           rpcHandler = bootstrap.doBootstrap(ch, rpcHandler);
         }
-        context.initializePipeline(ch, rpcHandler);
+        context.initializePipeline(ch, rpcHandler, false);
       }
     });
 
diff --git a/common/network-common/src/main/java/org/apache/spark/network/ssl/ReloadingX509TrustManager.java b/common/network-common/src/main/java/org/apache/spark/network/ssl/ReloadingX509TrustManager.java
new file mode 100644
index 0000000000000..ce5ff9007583e
--- /dev/null
+++ b/common/network-common/src/main/java/org/apache/spark/network/ssl/ReloadingX509TrustManager.java
@@ -0,0 +1,201 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network.ssl;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.concurrent.atomic.AtomicReference;
+
+/**
+ * A {@link TrustManager} implementation that reloads its configuration when
+ * the truststore file on disk changes.
+ * This implementation is based entirely on the
+ * org.apache.hadoop.security.ssl.ReloadingX509TrustManager class in the Apache Hadoop Encrypted
+ * Shuffle implementation.
+ *
+ * @see <a href="https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/EncryptedShuffle.html">Hadoop MapReduce Next Generation - Encrypted Shuffle</a>
+ */
+public final class ReloadingX509TrustManager
+        implements X509TrustManager, Runnable {
+
+  private final Logger logger = LoggerFactory.getLogger(ReloadingX509TrustManager.class);
+
+  private String type;
+  private File file;
+  private String password;
+  private long lastLoaded;
+  private long reloadInterval;
+  private AtomicReference<X509TrustManager> trustManagerRef;
+
+  private volatile boolean running;
+  private Thread reloader;
+
+  /**
+   * Creates a reloadable trustmanager. The trustmanager reloads itself
+   * if the underlying trustore file has changed.
+   *
+   * @param type           type of truststore file, typically 'jks'.
+   * @param trustStore     the truststore file.
+   * @param password       password of the truststore file.
+   * @param reloadInterval interval to check if the truststore file has
+   *                       changed, in milliseconds.
+   * @throws IOException              thrown if the truststore could not be initialized due
+   *                                  to an IO error.
+   * @throws GeneralSecurityException thrown if the truststore could not be
+   *                                  initialized due to a security error.
+   */
+  public ReloadingX509TrustManager(
+      String type, File trustStore, String password, long reloadInterval)
+      throws IOException, GeneralSecurityException {
+    this.type = type;
+    file = trustStore;
+    this.password = password;
+    trustManagerRef = new AtomicReference<X509TrustManager>();
+    trustManagerRef.set(loadTrustManager());
+    this.reloadInterval = reloadInterval;
+  }
+
+  /**
+   * Starts the reloader thread.
+   */
+  public void init() {
+    reloader = new Thread(this, "Truststore reloader thread");
+    reloader.setDaemon(true);
+    running = true;
+    reloader.start();
+  }
+
+  /**
+   * Stops the reloader thread.
+   */
+  public void destroy() {
+    running = false;
+    reloader.interrupt();
+  }
+
+  /**
+   * Returns the reload check interval.
+   *
+   * @return the reload check interval, in milliseconds.
+   */
+  public long getReloadInterval() {
+    return reloadInterval;
+  }
+
+  @Override
+  public void checkClientTrusted(X509Certificate[] chain, String authType)
+          throws CertificateException {
+    X509TrustManager tm = trustManagerRef.get();
+    if (tm != null) {
+      tm.checkClientTrusted(chain, authType);
+    } else {
+      throw new CertificateException("Unknown client chain certificate: " +
+        chain[0].toString());
+    }
+  }
+
+  @Override
+  public void checkServerTrusted(X509Certificate[] chain, String authType)
+          throws CertificateException {
+    X509TrustManager tm = trustManagerRef.get();
+    if (tm != null) {
+      tm.checkServerTrusted(chain, authType);
+    } else {
+      throw new CertificateException("Unknown server chain certificate: " +
+              chain[0].toString());
+    }
+  }
+
+  private static final X509Certificate[] EMPTY = new X509Certificate[0];
+
+  @Override
+  public X509Certificate[] getAcceptedIssuers() {
+    X509Certificate[] issuers = EMPTY;
+    X509TrustManager tm = trustManagerRef.get();
+    if (tm != null) {
+      issuers = tm.getAcceptedIssuers();
+    }
+    return issuers;
+  }
+
+  boolean needsReload() {
+    boolean reload = true;
+    if (file.exists()) {
+      if (file.lastModified() == lastLoaded) {
+        reload = false;
+      }
+    } else {
+      lastLoaded = 0;
+    }
+    return reload;
+  }
+
+  X509TrustManager loadTrustManager()
+          throws IOException, GeneralSecurityException {
+    X509TrustManager trustManager = null;
+    KeyStore ks = KeyStore.getInstance(type);
+    lastLoaded = file.lastModified();
+    FileInputStream in = new FileInputStream(file);
+    try {
+      ks.load(in, password.toCharArray());
+      logger.debug("Loaded truststore '" + file + "'");
+    } finally {
+      in.close();
+    }
+
+    TrustManagerFactory trustManagerFactory =
+      TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    trustManagerFactory.init(ks);
+    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+    for (TrustManager trustManager1 : trustManagers) {
+      if (trustManager1 instanceof X509TrustManager) {
+        trustManager = (X509TrustManager) trustManager1;
+        break;
+      }
+    }
+    return trustManager;
+  }
+
+  @Override
+  public void run() {
+    while (running) {
+      try {
+        Thread.sleep(reloadInterval);
+      } catch (InterruptedException e) {
+        //NOP
+      }
+      if (running && needsReload()) {
+        try {
+          trustManagerRef.set(loadTrustManager());
+        } catch (Exception ex) {
+          logger.warn("Could not load truststore (keep using existing one) : " + ex.toString(), ex);
+        }
+      }
+    }
+  }
+}
diff --git a/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java b/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
new file mode 100644
index 0000000000000..35ada9a57bc42
--- /dev/null
+++ b/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
@@ -0,0 +1,503 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network.ssl;
+
+import com.google.common.io.Files;
+
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.OpenSsl;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.spark.network.util.JavaUtils;
+
+public class SSLFactory {
+
+  private final Logger logger = LoggerFactory.getLogger(SSLFactory.class);
+
+  /**
+   * For a configuration specifying keystore/truststore files
+   */
+  private SSLContext jdkSslContext;
+
+  /**
+   * For a configuration specifying a PEM cert chain, and a PEM private key
+   */
+  private SslContext nettyClientSslContext;
+  private SslContext nettyServerSslContext;
+
+  private KeyManager[] keyManagers;
+  private TrustManager[] trustManagers;
+  private String requestedProtocol;
+  private String[] requestedCiphers;
+
+  private SSLFactory(final Builder b) {
+    this.requestedProtocol = b.requestedProtocol;
+    this.requestedCiphers = b.requestedCiphers;
+    try {
+      if (b.certChain != null && b.privateKey != null) {
+        initNettySslContexts(b);
+      } else {
+        initJdkSslContext(b);
+      }
+    } catch (Exception e) {
+      throw new RuntimeException("SSLFactory creation failed", e);
+    }
+  }
+
+  private void initJdkSslContext(final Builder b)
+          throws IOException, GeneralSecurityException {
+    this.keyManagers = keyManagers(b.keyStore, b.keyStorePassword);
+    this.trustManagers = trustStoreManagers(
+      b.trustStore, b.trustStorePassword,
+      b.trustStoreReloadingEnabled, b.trustStoreReloadInterval
+    );
+    this.jdkSslContext = createSSLContext(requestedProtocol, keyManagers, trustManagers);
+  }
+
+  private void initNettySslContexts(final Builder b)
+          throws SSLException, NoSuchAlgorithmException {
+    nettyClientSslContext = SslContextBuilder
+      .forClient()
+      .sslProvider(getSslProvider(b))
+      .trustManager(b.certChain)
+      .build();
+
+    nettyServerSslContext = SslContextBuilder
+      .forServer(b.certChain, b.privateKey, b.keyPassword)
+      .sslProvider(getSslProvider(b))
+      .sessionCacheSize(0)
+      .sessionTimeout(0)
+      .build();
+  }
+
+  /**
+   * If OpenSSL is requested, this will check if an implementation is available on the local host.
+   * If an implementation is not available it will fall back to the JDK {@link SslProvider}.
+   *
+   * @param b
+   * @return
+   */
+  private SslProvider getSslProvider(Builder b) {
+    if (b.openSslEnabled) {
+      if (OpenSsl.isAvailable()) {
+        return SslProvider.OPENSSL;
+      } else {
+        logger.warn("OpenSSL Provider requested but it is not available, using JDK SSL Provider");
+      }
+    }
+    return SslProvider.JDK;
+  }
+
+  public void destroy() {
+    if (trustManagers != null) {
+      for (int i = 0; i < trustManagers.length; i++) {
+        if (trustManagers[i] instanceof ReloadingX509TrustManager) {
+          ((ReloadingX509TrustManager) trustManagers[i]).destroy();
+        }
+      }
+      trustManagers = null;
+    }
+
+    keyManagers = null;
+    jdkSslContext = null;
+    nettyClientSslContext = null;
+    nettyServerSslContext = null;
+    requestedProtocol = null;
+    requestedCiphers = null;
+  }
+
+  /**
+   * Builder class to construct instances of {@link SSLFactory} with specific options
+   */
+  public static class Builder {
+    private String requestedProtocol;
+    private String[] requestedCiphers;
+    private File keyStore;
+    private String keyStorePassword;
+    private File privateKey;
+    private String keyPassword;
+    private File certChain;
+    private File trustStore;
+    private String trustStorePassword;
+    private boolean trustStoreReloadingEnabled;
+    private int trustStoreReloadInterval;
+    private boolean openSslEnabled;
+
+    /**
+     * Sets the requested protocol, i.e., "TLSv1.2", "TLSv1.1", etc
+     *
+     * @param requestedProtocol
+     * @return
+     */
+    public Builder requestedProtocol(String requestedProtocol) {
+      this.requestedProtocol = requestedProtocol == null ? "TLSv1.2" : requestedProtocol;
+      return this;
+    }
+
+    /**
+     * Sets the requested cipher suites, i.e., "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", etc
+     *
+     * @param requestedCiphers
+     * @return
+     */
+    public Builder requestedCiphers(String[] requestedCiphers) {
+      this.requestedCiphers = requestedCiphers;
+      return this;
+    }
+
+    /**
+     * Sets the Keystore and Keystore password
+     *
+     * @param keyStore
+     * @param keyStorePassword
+     * @return
+     */
+    public Builder keyStore(File keyStore, String keyStorePassword) {
+      this.keyStore = keyStore;
+      this.keyStorePassword = keyStorePassword;
+      return this;
+    }
+
+    /**
+     * Sets a PKCS#8 private key file in PEM format
+     *
+     * @param privateKey
+     * @return
+     */
+    public Builder privateKey(File privateKey) {
+      this.privateKey = privateKey;
+      return this;
+    }
+
+    /**
+     * Sets the Key password
+     *
+     * @param keyPassword
+     * @return
+     */
+    public Builder keyPassword(String keyPassword) {
+      this.keyPassword = keyPassword;
+      return this;
+    }
+
+    /**
+     * Sets a X.509 certificate chain file in PEM format
+     *
+     * @param certChain
+     * @return
+     */
+    public Builder certChain(File certChain) {
+      this.certChain = certChain;
+      return this;
+    }
+
+    /**
+     * @param enabled
+     * @return
+     */
+    public Builder openSslEnabled(boolean enabled) {
+      this.openSslEnabled = enabled;
+      return this;
+    }
+
+    /**
+     * Sets the trust-store, trust-store password, whether to use a Reloading TrustStore,
+     * and the trust-store reload interval, if enabled
+     *
+     * @param trustStore
+     * @param trustStorePassword
+     * @param trustStoreReloadingEnabled
+     * @param trustStoreReloadInterval
+     * @return
+     */
+    public Builder trustStore(
+        File trustStore, String trustStorePassword,
+        boolean trustStoreReloadingEnabled, int trustStoreReloadInterval) {
+      this.trustStore = trustStore;
+      this.trustStorePassword = trustStorePassword;
+      this.trustStoreReloadingEnabled = trustStoreReloadingEnabled;
+      this.trustStoreReloadInterval = trustStoreReloadInterval;
+      return this;
+    }
+
+    /**
+     * Builds our {@link SSLFactory}
+     *
+     * @return
+     */
+    public SSLFactory build() {
+      return new SSLFactory(this);
+    }
+  }
+
+  /**
+   * Returns an initialized {@link SSLContext}
+   *
+   * @param requestedProtocol
+   * @param keyManagers
+   * @param trustManagers
+   * @return
+   * @throws IOException
+   * @throws GeneralSecurityException
+   */
+  private static SSLContext createSSLContext(
+      String requestedProtocol,
+      KeyManager[] keyManagers,
+      TrustManager[] trustManagers) throws GeneralSecurityException {
+    SSLContext sslContext = getSSLContextInstance(requestedProtocol);
+    sslContext.init(keyManagers, trustManagers, null);
+    return sslContext;
+  }
+
+  /**
+   * Get the {@link SSLContext} for the specified <tt>requestedProtocol</tt>
+   * if available, or the default {@linnk SSLContext}
+   * @param requestedProtocol
+   * @return
+   * @throws NoSuchAlgorithmException
+   */
+  private static SSLContext getSSLContextInstance(String requestedProtocol)
+      throws NoSuchAlgorithmException {
+    SSLContext context = null;
+    try {
+      context = SSLContext.getInstance(requestedProtocol);
+    } catch (Exception e) {
+      context = SSLContext.getDefault();
+    }
+    return context;
+  }
+
+  /**
+   * Creates a new {@link SSLEngine}.
+   * Note that currently client auth is not supported
+   *
+   * @return
+   * @throws NoSuchAlgorithmException
+   * @throws UnrecoverableKeyException
+   * @throws CertificateException
+   * @throws KeyStoreException
+   * @throws IOException
+   * @throws KeyManagementException
+   */
+  public SSLEngine createSSLEngine(boolean isClient, ByteBufAllocator allocator) {
+    SSLEngine engine = createEngine(isClient, allocator);
+    engine.setUseClientMode(isClient);
+    engine.setNeedClientAuth(false);
+    engine.setEnabledProtocols(enabledProtocols(engine, requestedProtocol));
+    engine.setEnabledCipherSuites(enabledCipherSuites(engine, requestedCiphers));
+    return engine;
+  }
+
+  private SSLEngine createEngine(boolean isClient, ByteBufAllocator allocator) {
+    SSLEngine engine;
+    if (isClient) {
+      if (nettyClientSslContext != null) {
+        engine = nettyClientSslContext.newEngine(allocator);
+      } else {
+        engine = jdkSslContext.createSSLEngine();
+      }
+    } else {
+      if (nettyServerSslContext != null) {
+        engine = nettyServerSslContext.newEngine(allocator);
+      } else {
+        engine = jdkSslContext.createSSLEngine();
+      }
+    }
+    return engine;
+  }
+
+  private static TrustManager[] credulousTrustStoreManagers() {
+    return new TrustManager[]{new X509TrustManager() {
+      @Override
+      public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
+        throws CertificateException {
+      }
+
+      @Override
+      public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
+        throws CertificateException {
+      }
+
+      @Override
+      public X509Certificate[] getAcceptedIssuers() {
+        return null;
+      }
+    }};
+  }
+
+  private static TrustManager[] trustStoreManagers(
+      File trustStore, String trustStorePassword,
+      boolean trustStoreReloadingEnabled, int trustStoreReloadInterval)
+          throws IOException, GeneralSecurityException {
+    if (trustStore == null || !trustStore.exists()) {
+      return credulousTrustStoreManagers();
+    } else {
+      if (trustStorePassword == null) {
+        throw new KeyStoreException("trustStorePassword cannot be null");
+      }
+
+      if (trustStoreReloadingEnabled) {
+        ReloadingX509TrustManager reloading = new ReloadingX509TrustManager(
+          KeyStore.getDefaultType(), trustStore, trustStorePassword, trustStoreReloadInterval);
+        reloading.init();
+        return new TrustManager[]{reloading};
+      } else {
+        return defaultTrustManagers(trustStore, trustStorePassword);
+      }
+    }
+  }
+
+  private static TrustManager[] defaultTrustManagers(File trustStore, String trustStorePassword)
+      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
+    InputStream input = Files.asByteSource(trustStore).openStream();
+    try {
+      KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+      ks.load(input, trustStorePassword.toCharArray());
+      TrustManagerFactory tmf = TrustManagerFactory.getInstance(
+        TrustManagerFactory.getDefaultAlgorithm());
+      tmf.init(ks);
+      return tmf.getTrustManagers();
+    } finally {
+      JavaUtils.closeQuietly(input);
+    }
+  }
+
+  private static KeyManager[] keyManagers(File keyStore, String keyStorePassword)
+      throws NoSuchAlgorithmException, CertificateException,
+          KeyStoreException, IOException, UnrecoverableKeyException {
+    KeyManagerFactory factory = KeyManagerFactory.getInstance(
+      KeyManagerFactory.getDefaultAlgorithm());
+    factory.init(
+      loadKeyStore(keyStore, keyStorePassword),
+      (keyStorePassword != null ? keyStorePassword.toCharArray() : null)
+    );
+
+    return factory.getKeyManagers();
+  }
+
+  private static KeyStore loadKeyStore(File keyStore, String keyStorePassword)
+      throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
+    if (keyStore == null) {
+      throw new KeyStoreException("keyStore cannot be null");
+    }
+
+    if (keyStorePassword == null) {
+      throw new KeyStoreException("keyStorePassword cannot be null");
+    }
+
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    FileInputStream fin = new FileInputStream(keyStore);
+    try {
+      ks.load(fin, keyStorePassword.toCharArray());
+      return ks;
+    } finally {
+      JavaUtils.closeQuietly(fin);
+    }
+  }
+
+  private static String[] enabledProtocols(SSLEngine engine, String requestedProtocol) {
+    String[] supportedProtocols = engine.getSupportedProtocols();
+    String[] defaultProtocols = {"TLSv1.3", "TLSv1.2"};
+    String[] enabledProtocols =
+      ((requestedProtocol == null || requestedProtocol.isEmpty()) ?
+        defaultProtocols : new String[]{requestedProtocol});
+    List<String> protocols = new ArrayList<String>();
+
+    addIfSupported(supportedProtocols, protocols, enabledProtocols);
+    if (!protocols.isEmpty()) {
+      return protocols.toArray(new String[protocols.size()]);
+    } else {
+      return supportedProtocols;
+    }
+  }
+
+  private static String[] enabledCipherSuites(
+      String[] supportedCiphers, String[] defaultCiphers, String[] requestedCiphers) {
+    String[] baseCiphers = new String[]{
+      // We take ciphers from the mozilla modern list first (for TLS 1.3):
+      // https://wiki.mozilla.org/Security/Server_Side_TLS
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      // Next we have the TLS1.2 ciphers for intermediate compatibility (since JDK8 does not
+      // support TLS1.2)
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
+    };
+    String[] enabledCiphers =
+      ((requestedCiphers == null || requestedCiphers.length == 0) ? baseCiphers : requestedCiphers);
+    List<String> ciphers = new ArrayList<String>();
+
+    addIfSupported(supportedCiphers, ciphers, enabledCiphers);
+    if (!ciphers.isEmpty()) {
+      return ciphers.toArray(new String[ciphers.size()]);
+    } else {
+      // Use the default from JDK as fallback.
+      return defaultCiphers;
+    }
+  }
+
+  private static String[] enabledCipherSuites(SSLEngine engine, String[] requestedCiphers) {
+    return enabledCipherSuites(
+      engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites(), requestedCiphers);
+  }
+
+  private static void addIfSupported(String[] supported, List<String> enabled, String... names) {
+    for (String n : names) {
+      for (String s : supported) {
+        if (n.equals(s)) {
+          enabled.add(s);
+          break;
+        }
+      }
+    }
+  }
+}
diff --git a/common/network-common/src/main/java/org/apache/spark/network/util/NettyLogger.java b/common/network-common/src/main/java/org/apache/spark/network/util/NettyLogger.java
index 9398726a92625..d0d9ad41824d4 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/util/NettyLogger.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/util/NettyLogger.java
@@ -25,6 +25,9 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.IOException;
+import java.io.InputStream;
+
 public class NettyLogger {
   private static final Logger logger = LoggerFactory.getLogger(NettyLogger.class);
 
@@ -42,6 +45,14 @@ protected String format(ChannelHandlerContext ctx, String eventName, Object arg)
       } else if (arg instanceof ByteBufHolder) {
         return format(ctx, eventName) + " " +
           ((ByteBufHolder) arg).content().readableBytes() + "B";
+      } else if (arg instanceof InputStream) {
+        int available = 0;
+        try {
+          available = ((InputStream) arg).available();
+        } catch (IOException ex) {
+          // Swallow
+        }
+        return format(ctx, eventName) + " " + available + "B";
       } else {
         return super.format(ctx, eventName, arg);
       }
diff --git a/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java b/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java
index 2794883f3cf3e..d4c88d2d4f920 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java
@@ -17,6 +17,7 @@
 
 package org.apache.spark.network.util;
 
+import java.io.File;
 import java.util.Locale;
 import java.util.Properties;
 import java.util.concurrent.TimeUnit;
@@ -249,6 +250,168 @@ public boolean saslServerAlwaysEncrypt() {
     return conf.getBoolean("spark.network.sasl.serverAlwaysEncrypt", false);
   }
 
+  /**
+   * When Secure (SSL/TLS) Shuffle is enabled, the Chunk size to use for shuffling files.
+   * // TODO: See if we should reuse spark.buffer.write.chunkSize here
+   */
+  public int sslShuffleChunkSize() {
+    return Ints.checkedCast(JavaUtils.byteStringAsBytes(
+      conf.get("spark.network.ssl.maxEncryptedBlockSize", "64k")));
+  }
+
+  /**
+   * Whether Secure (SSL/TLS) RPC (including Block Transfer Service) is enabled
+   */
+  public boolean sslRpcEnabled() {
+    return conf.getBoolean("spark.ssl.rpc.enabled", false);
+  }
+
+  /**
+   * SSL protocol (remember that SSLv3 was compromised) supported by Java
+   */
+  public String sslRpcProtocol() {
+    return conf.get("spark.ssl.rpc.protocol", null);
+  }
+
+  /**
+   * A comma separated list of ciphers
+   */
+  public String[] sslRpcRequestedCiphers() {
+    String ciphers = conf.get("spark.ssl.rpc.enabledAlgorithms", null);
+    return (ciphers != null ? ciphers.split(",") : null);
+  }
+
+  /**
+   * The key-store file; can be relative to the current directory
+   */
+  public File sslRpcKeyStore() {
+    String keyStore = conf.get("spark.ssl.rpc.keyStore", null);
+    if (keyStore != null) {
+      return new File(keyStore);
+    } else {
+      return null;
+    }
+  }
+
+  /**
+   * The password to the key-store file
+   */
+  public String sslRpcKeyStorePassword() {
+    return conf.get("spark.ssl.rpc.keyStorePassword", null);
+  }
+
+  /**
+   * A PKCS#8 private key file in PEM format; can be relative to the current directory
+   */
+  public File sslRpcPrivateKey() {
+    String privateKey = conf.get("spark.ssl.rpc.privateKey", null);
+    if (privateKey != null) {
+      return new File(privateKey);
+    } else {
+      return null;
+    }
+  }
+
+  /**
+   * The password to the private key
+   */
+  public String sslRpcKeyPassword() {
+    return conf.get("spark.ssl.rpc.keyPassword", null);
+  }
+
+  /**
+   * A X.509 certificate chain file in PEM format; can be relative to the current directory
+   */
+  public File sslRpcCertChain() {
+    String certChain = conf.get("spark.ssl.rpc.certChain", null);
+    if (certChain != null) {
+      return new File(certChain);
+    } else {
+      return null;
+    }
+  }
+
+  /**
+   * The trust-store file; can be relative to the current directory
+   */
+  public File sslRpcTrustStore() {
+    String trustStore = conf.get("spark.ssl.rpc.trustStore", null);
+    if (trustStore != null) {
+      return new File(trustStore);
+    } else {
+      return null;
+    }
+  }
+
+  /**
+   * The password to the trust-store file
+   */
+  public String sslRpcTrustStorePassword() {
+    return conf.get("spark.ssl.rpc.trustStorePassword", null);
+  }
+
+  /**
+   * If using a trust-store that that reloads its configuration is enabled.
+   * If true, when the trust-store file on disk changes, it will be reloaded
+   */
+  public boolean sslRpcTrustStoreReloadingEnabled() {
+    return conf.getBoolean("spark.ssl.rpc.trustStoreReloadingEnabled", false);
+  }
+
+  /**
+   * The interval, in milliseconds, the trust-store will reload its configuration
+   */
+  public int sslRpcTrustStoreReloadInterval() {
+    return conf.getInt("spark.ssl.rpc.trustStoreReloadInterval", 10000);
+  }
+
+  /**
+   * If the OpenSSL implementation is enabled,
+   * (if available on host system), requires certChain and keyFile arguments
+   */
+  public boolean sslRpcOpenSslEnabled() {
+    return conf.getBoolean("spark.ssl.rpc.openSslEnabled", false);
+  }
+
+  /**
+   *
+   * @return true if and only if RPC encryption is enabled and the relevant keys exist
+   */
+  public boolean sslRpcEnabledAndKeysAreValid() {
+    if (!sslRpcEnabled()) {
+      return false;
+    }
+    if (sslRpcOpenSslEnabled()) {
+      File privateKey = sslRpcPrivateKey();
+      if (privateKey == null || !privateKey.exists()) {
+        return false;
+      }
+      File certChain = sslRpcCertChain();
+      if (certChain == null || !certChain.exists()) {
+        return false;
+      }
+      return true;
+    } else {
+      File keyStore = sslRpcKeyStore();
+      if (keyStore == null || !keyStore.exists()) {
+        return false;
+      }
+      File trustStore = sslRpcTrustStore();
+      if (trustStore == null || !trustStore.exists()) {
+        return false;
+      }
+      return true;
+    }
+  }
+
+  /**
+   * If we can dangerously fallback to unencrypted connections if RPC over SSL is enabled
+   * but the key files are not present
+   */
+  public boolean sslRpcDangerouslyFallbackIfKeysNotPresent() {
+    return conf.getBoolean("spark.ssl.rpc.dangerouslyFallbackIfKeysNotPresent", false);
+  }
+
   /**
    * Flag indicating whether to share the pooled ByteBuf allocators between the different Netty
    * channels. If enabled then only two pooled ByteBuf allocators are created: one where caching
diff --git a/common/network-common/src/test/java/TransportConfSuite.java b/common/network-common/src/test/java/TransportConfSuite.java
new file mode 100644
index 0000000000000..f018b2de1ce72
--- /dev/null
+++ b/common/network-common/src/test/java/TransportConfSuite.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network;
+
+import org.apache.spark.network.util.TransportConf;
+import org.apache.spark.network.ssl.SslSampleConfigs;
+
+import org.junit.Test;
+
+import java.io.File;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertFalse;
+
+public class TransportConfSuite {
+
+  private TransportConf transportConf =
+    new TransportConf(
+     "shuffle", SslSampleConfigs.createDefaultConfigProviderForRpcNamespace());
+
+  @Test
+  public void testKeyStorePath() {
+    assertEquals(new File(SslSampleConfigs.keyStorePath), transportConf.sslRpcKeyStore());
+  }
+
+  @Test
+  public void testPrivateKeyPath() {
+    assertEquals(new File(SslSampleConfigs.privateKeyPath), transportConf.sslRpcPrivateKey());
+  }
+
+  @Test
+  public void testCertChainPath() {
+    assertEquals(new File(SslSampleConfigs.certChainPath), transportConf.sslRpcCertChain());
+  }
+
+  @Test
+  public void testTrustStorePath() {
+    assertEquals(new File(SslSampleConfigs.trustStorePath), transportConf.sslRpcTrustStore());
+  }
+
+  @Test
+  public void testTrustStoreReloadingEnabled() {
+    assertFalse(transportConf.sslRpcTrustStoreReloadingEnabled());
+  }
+
+  @Test
+  public void testOpenSslEnabled() {
+    assertFalse(transportConf.sslRpcOpenSslEnabled());
+  }
+
+  @Test
+  public void testSslRpcEnabled() {
+    assertTrue(transportConf.sslRpcEnabled());
+  }
+
+
+  @Test
+  public void testSslKeyStorePassword() {
+    assertEquals("password", transportConf.sslRpcKeyStorePassword());
+  }
+
+  @Test
+  public void testSslKeyPassword() {
+    assertEquals("password", transportConf.sslRpcKeyPassword());
+  }
+
+  @Test
+  public void testSslTrustStorePassword() {
+    assertEquals("password", transportConf.sslRpcTrustStorePassword());
+  }
+
+  @Test
+  public void testSslTrustStoreReloadInterval() {
+    assertEquals(10000, transportConf.sslRpcTrustStoreReloadInterval());
+  }
+}
diff --git a/common/network-common/src/test/java/org/apache/spark/network/SslChunkFetchIntegrationSuite.java b/common/network-common/src/test/java/org/apache/spark/network/SslChunkFetchIntegrationSuite.java
new file mode 100644
index 0000000000000..61e84847cda22
--- /dev/null
+++ b/common/network-common/src/test/java/org/apache/spark/network/SslChunkFetchIntegrationSuite.java
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network;
+
+import com.google.common.io.Closeables;
+import org.apache.spark.network.buffer.FileSegmentManagedBuffer;
+import org.apache.spark.network.buffer.ManagedBuffer;
+import org.apache.spark.network.buffer.NioManagedBuffer;
+import org.apache.spark.network.client.RpcResponseCallback;
+import org.apache.spark.network.client.TransportClient;
+import org.apache.spark.network.server.RpcHandler;
+import org.apache.spark.network.server.StreamManager;
+import org.apache.spark.network.util.TransportConf;
+import org.apache.spark.network.ssl.SslSampleConfigs;
+
+import org.junit.BeforeClass;
+
+import static org.junit.Assert.*;
+
+import java.io.File;
+import java.io.RandomAccessFile;
+import java.nio.ByteBuffer;
+import java.util.Random;
+
+/**
+ *
+ */
+public class SslChunkFetchIntegrationSuite extends ChunkFetchIntegrationSuite {
+
+  @BeforeClass
+  public static void setUp() throws Exception {
+    int bufSize = 100000;
+    final ByteBuffer buf = ByteBuffer.allocate(bufSize);
+    for (int i = 0; i < bufSize; i ++) {
+      buf.put((byte) i);
+    }
+    buf.flip();
+    bufferChunk = new NioManagedBuffer(buf);
+
+    testFile = File.createTempFile("shuffle-test-file", "txt");
+    testFile.deleteOnExit();
+    RandomAccessFile fp = new RandomAccessFile(testFile, "rw");
+    boolean shouldSuppressIOException = true;
+    try {
+      byte[] fileContent = new byte[1024];
+      new Random().nextBytes(fileContent);
+      fp.write(fileContent);
+      shouldSuppressIOException = false;
+    } finally {
+      Closeables.close(fp, shouldSuppressIOException);
+    }
+
+    final TransportConf conf = new TransportConf(
+      "shuffle", SslSampleConfigs.createDefaultConfigProviderForRpcNamespace());
+    fileChunk = new FileSegmentManagedBuffer(
+      conf, testFile, 10, testFile.length() - 25);
+
+    streamManager = new StreamManager() {
+      @Override
+      public ManagedBuffer getChunk(long streamId, int chunkIndex) {
+        assertEquals(STREAM_ID, streamId);
+        if (chunkIndex == BUFFER_CHUNK_INDEX) {
+          return new NioManagedBuffer(buf);
+        } else if (chunkIndex == FILE_CHUNK_INDEX) {
+          return new FileSegmentManagedBuffer(
+            conf, testFile, 10, testFile.length() - 25);
+        } else {
+          throw new IllegalArgumentException("Invalid chunk index: " + chunkIndex);
+        }
+      }
+    };
+    RpcHandler handler = new RpcHandler() {
+      @Override
+      public void receive(
+          TransportClient client,
+          ByteBuffer message,
+          RpcResponseCallback callback) {
+        throw new UnsupportedOperationException();
+      }
+
+      @Override
+      public StreamManager getStreamManager() {
+        return streamManager;
+      }
+    };
+    context = new TransportContext(conf, handler);
+    server = context.createServer();
+    clientFactory = context.createClientFactory();
+  }
+}
diff --git a/common/network-common/src/test/java/org/apache/spark/network/TestManagedBuffer.java b/common/network-common/src/test/java/org/apache/spark/network/TestManagedBuffer.java
index 83c90f9eff2b1..1814634fb92a3 100644
--- a/common/network-common/src/test/java/org/apache/spark/network/TestManagedBuffer.java
+++ b/common/network-common/src/test/java/org/apache/spark/network/TestManagedBuffer.java
@@ -80,6 +80,11 @@ public Object convertToNetty() throws IOException {
     return underlying.convertToNetty();
   }
 
+  @Override
+  public Object convertToNettyForSsl() throws IOException {
+    return underlying.convertToNettyForSsl();
+  }
+
   @Override
   public int hashCode() {
     return underlying.hashCode();
diff --git a/common/network-common/src/test/java/org/apache/spark/network/client/SslTransportClientFactorySuite.java b/common/network-common/src/test/java/org/apache/spark/network/client/SslTransportClientFactorySuite.java
new file mode 100644
index 0000000000000..d0b97260ab5de
--- /dev/null
+++ b/common/network-common/src/test/java/org/apache/spark/network/client/SslTransportClientFactorySuite.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.network.client;
+
+import org.junit.Before;
+
+import org.apache.spark.network.ssl.SslSampleConfigs;
+import org.apache.spark.network.server.NoOpRpcHandler;
+import org.apache.spark.network.server.RpcHandler;
+import org.apache.spark.network.util.TransportConf;
+import org.apache.spark.network.TransportContext;
+
+public class SslTransportClientFactorySuite extends TransportClientFactorySuite {
+
+  @Before
+  public void setUp() {
+    conf = new TransportConf(
+      "shuffle", SslSampleConfigs.createDefaultConfigProviderForRpcNamespace());
+    RpcHandler rpcHandler = new NoOpRpcHandler();
+    context = new TransportContext(conf, rpcHandler);
+    server1 = context.createServer();
+    server2 = context.createServer();
+  }
+}
diff --git a/common/network-common/src/test/java/org/apache/spark/network/client/TransportClientFactorySuite.java b/common/network-common/src/test/java/org/apache/spark/network/client/TransportClientFactorySuite.java
index 47b571af83d73..f92bd6f51d8c5 100644
--- a/common/network-common/src/test/java/org/apache/spark/network/client/TransportClientFactorySuite.java
+++ b/common/network-common/src/test/java/org/apache/spark/network/client/TransportClientFactorySuite.java
@@ -44,10 +44,10 @@
 import static org.junit.Assert.*;
 
 public class TransportClientFactorySuite {
-  private TransportConf conf;
-  private TransportContext context;
-  private TransportServer server1;
-  private TransportServer server2;
+  protected TransportConf conf;
+  protected TransportContext context;
+  protected TransportServer server1;
+  protected TransportServer server2;
 
   @Before
   public void setUp() {
diff --git a/common/network-common/src/test/java/org/apache/spark/network/protocol/EncryptedMessageWithHeaderSuite.java b/common/network-common/src/test/java/org/apache/spark/network/protocol/EncryptedMessageWithHeaderSuite.java
new file mode 100644
index 0000000000000..11f06472f79f5
--- /dev/null
+++ b/common/network-common/src/test/java/org/apache/spark/network/protocol/EncryptedMessageWithHeaderSuite.java
@@ -0,0 +1,144 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.network.protocol;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.util.Random;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.Unpooled;
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.stream.ChunkedStream;
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+import org.apache.spark.network.buffer.ManagedBuffer;
+import org.apache.spark.network.buffer.NettyManagedBuffer;
+
+public class EncryptedMessageWithHeaderSuite {
+
+  // Tests the case where the body is an input stream and that we manage the refcounts of the
+  // buffer properly
+  @Test
+  public void testInputStreamBodyFromManagedBuffer() throws Exception {
+    byte[] randomData = new byte[128];
+    new Random().nextBytes(randomData);
+    ByteBuf sourceBuffer = Unpooled.copiedBuffer(randomData);
+    InputStream body = new ByteArrayInputStream(sourceBuffer.array());
+    ByteBuf header = Unpooled.copyLong(42);
+
+    long expectedHeaderValue = header.getLong(header.readerIndex());
+    assertEquals(1, header.refCnt());
+    assertEquals(1, sourceBuffer.refCnt());
+    ManagedBuffer managedBuf = new NettyManagedBuffer(sourceBuffer);
+
+    EncryptedMessageWithHeader msg = new EncryptedMessageWithHeader(
+      managedBuf, header, body, managedBuf.size());
+    ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
+
+    // First read should just read the header
+    ByteBuf headerResult = msg.readChunk(allocator);
+    assertEquals(header.capacity(), headerResult.readableBytes());
+    assertEquals(expectedHeaderValue, headerResult.readLong());
+    assertEquals(header.capacity(), msg.progress());
+    assertFalse(msg.isEndOfInput());
+
+    // Second read should read the body
+    ByteBuf bodyResult = msg.readChunk(allocator);
+    assertEquals(randomData.length + header.capacity(), msg.progress());
+    assertTrue(msg.isEndOfInput());
+
+    // Validate we read it all
+    assertEquals(bodyResult.readableBytes(), randomData.length);
+    for (int i = 0; i < randomData.length; i++) {
+      assertEquals(bodyResult.readByte(), randomData[i]);
+    }
+
+    // Closing the message should release the source buffer
+    msg.close();
+    assertEquals(0, sourceBuffer.refCnt());
+
+    // The header still has a reference we got
+    assertEquals(1, header.refCnt());
+    headerResult.release();
+    assertEquals(0, header.refCnt());
+  }
+
+  // Tests the case where the body is a chunked stream and that we are fine when there is no
+  // input managed buffer
+  @Test
+  public void testChunkedStream() throws Exception {
+    int bodyLength = 129;
+    int chunkSize = 64;
+    byte[] randomData = new byte[bodyLength];
+    new Random().nextBytes(randomData);
+    InputStream inputStream = new ByteArrayInputStream(randomData);
+    ChunkedStream body = new ChunkedStream(inputStream, chunkSize);
+    ByteBuf header = Unpooled.copyLong(42);
+
+    long expectedHeaderValue = header.getLong(header.readerIndex());
+    assertEquals(1, header.refCnt());
+
+    EncryptedMessageWithHeader msg = new EncryptedMessageWithHeader(null, header, body, bodyLength);
+    ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
+
+    // First read should just read the header
+    ByteBuf headerResult = msg.readChunk(allocator);
+    assertEquals(header.capacity(), headerResult.readableBytes());
+    assertEquals(expectedHeaderValue, headerResult.readLong());
+    assertEquals(header.capacity(), msg.progress());
+    assertFalse(msg.isEndOfInput());
+
+    // Next 2 reads should read full buffers
+    int readIndex = 0;
+    for (int i = 1; i <= 2; i++) {
+      System.out.println(i);
+      ByteBuf bodyResult = msg.readChunk(allocator);
+      assertEquals(header.capacity() + (i*chunkSize), msg.progress());
+      assertFalse(msg.isEndOfInput());
+
+      // Validate we read data correctly
+      assertEquals(bodyResult.readableBytes(), chunkSize);
+      assert(bodyResult.readableBytes() < (randomData.length - readIndex));
+      while (bodyResult.readableBytes() > 0) {
+        System.out.println(readIndex);
+        assertEquals(bodyResult.readByte(), randomData[readIndex++]);
+      }
+    }
+
+    // Last read should be partial
+    ByteBuf bodyResult = msg.readChunk(allocator);
+    assertEquals(header.capacity() + bodyLength, msg.progress());
+    assertTrue(msg.isEndOfInput());
+
+    // Validate we read the byte properly
+    assertEquals(bodyResult.readableBytes(), 1);
+    assertEquals(bodyResult.readByte(), randomData[readIndex]);
+
+    // Closing the message should close the input stream
+    msg.close();
+    assertTrue(body.isEndOfInput());
+
+    // The header still has a reference we got
+    assertEquals(1, header.refCnt());
+    headerResult.release();
+    assertEquals(0, header.refCnt());
+  }
+}
diff --git a/common/network-common/src/test/java/org/apache/spark/network/ssl/ReloadingX509TrustManagerSuite.java b/common/network-common/src/test/java/org/apache/spark/network/ssl/ReloadingX509TrustManagerSuite.java
new file mode 100644
index 0000000000000..2d4bbfb2dc363
--- /dev/null
+++ b/common/network-common/src/test/java/org/apache/spark/network/ssl/ReloadingX509TrustManagerSuite.java
@@ -0,0 +1,197 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network.ssl;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.apache.spark.network.ssl.SslSampleConfigs.*;
+
+/**
+ *
+ */
+public class ReloadingX509TrustManagerSuite {
+
+  /**
+   * Tests to ensure that loading a missing trust-store fails
+   *
+   * @throws Exception
+   */
+  @Test
+  public void testLoadMissingTrustStore() throws Exception {
+    File trustStore = new File("testmissing.jks");
+    assertFalse(trustStore.exists());
+
+    Assert.assertThrows(IOException.class, () -> {
+      ReloadingX509TrustManager tm = new ReloadingX509TrustManager(
+        KeyStore.getDefaultType(),
+        trustStore,
+        "password",
+        10
+      );
+      try {
+        tm.init();
+      } finally {
+        tm.destroy();
+      }
+    });
+  }
+
+  /**
+   * Tests to ensure that loading a corrupt trust-store fails
+   *
+   * @throws Exception
+   */
+  @Test
+  public void testLoadCorruptTrustStore() throws Exception {
+    File corruptStore = File.createTempFile("truststore-corrupt", "jks");
+    corruptStore.deleteOnExit();
+    OutputStream os = new FileOutputStream(corruptStore);
+    os.write(1);
+    os.close();
+
+    Assert.assertThrows(IOException.class, () -> {
+      ReloadingX509TrustManager tm = new ReloadingX509TrustManager(
+        KeyStore.getDefaultType(),
+        corruptStore,
+        "password",
+        10
+      );
+      try {
+        tm.init();
+      } finally {
+        tm.destroy();
+      }
+    });
+  }
+
+  /**
+   * @throws Exception
+   */
+  @Test
+  public void testReload() throws Exception {
+    KeyPair kp = generateKeyPair("RSA");
+    X509Certificate cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
+    X509Certificate cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
+    File trustStore = File.createTempFile("testreload", "jks");
+    trustStore.deleteOnExit();
+    createTrustStore(trustStore, "password", "cert1", cert1);
+
+    ReloadingX509TrustManager tm =
+      new ReloadingX509TrustManager("jks", trustStore, "password", 10);
+    try {
+      tm.init();
+      assertEquals(1, tm.getAcceptedIssuers().length);
+
+      // Wait so that the file modification time is different
+      Thread.sleep((tm.getReloadInterval() + 1000));
+
+      // Add another cert
+      Map<String, X509Certificate> certs = new HashMap<String, X509Certificate>();
+      certs.put("cert1", cert1);
+      certs.put("cert2", cert2);
+      createTrustStore(trustStore, "password", certs);
+
+      // and wait to be sure reload has taken place
+      assertEquals(10, tm.getReloadInterval());
+
+      // Wait so that the file modification time is different
+      Thread.sleep((tm.getReloadInterval() + 200));
+
+      assertEquals(2, tm.getAcceptedIssuers().length);
+    } finally {
+      tm.destroy();
+    }
+  }
+
+  /**
+   * @throws Exception
+   */
+  @Test
+  public void testReloadMissingTrustStore() throws Exception {
+    KeyPair kp = generateKeyPair("RSA");
+    X509Certificate cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
+    X509Certificate cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
+    File trustStore = new File("testmissing.jks");
+    trustStore.deleteOnExit();
+    assertFalse(trustStore.exists());
+    createTrustStore(trustStore, "password", "cert1", cert1);
+
+    ReloadingX509TrustManager tm =
+      new ReloadingX509TrustManager("jks", trustStore, "password", 10);
+    try {
+      tm.init();
+      assertEquals(1, tm.getAcceptedIssuers().length);
+      X509Certificate cert = tm.getAcceptedIssuers()[0];
+      trustStore.delete();
+
+      // Wait so that the file modification time is different
+      Thread.sleep((tm.getReloadInterval() + 200));
+
+      assertEquals(1, tm.getAcceptedIssuers().length);
+      assertEquals(cert, tm.getAcceptedIssuers()[0]);
+    } finally {
+      tm.destroy();
+    }
+  }
+
+  /**
+   * @throws Exception
+   */
+  @Test
+  public void testReloadCorruptTrustStore() throws Exception {
+    KeyPair kp = generateKeyPair("RSA");
+    X509Certificate cert1 = generateCertificate("CN=Cert1", kp, 30, "SHA1withRSA");
+    X509Certificate cert2 = generateCertificate("CN=Cert2", kp, 30, "SHA1withRSA");
+    File corruptStore = File.createTempFile("truststore-corrupt", "jks");
+    corruptStore.deleteOnExit();
+    createTrustStore(corruptStore, "password", "cert1", cert1);
+
+    ReloadingX509TrustManager tm =
+      new ReloadingX509TrustManager("jks", corruptStore, "password", 10);
+    try {
+      tm.init();
+      assertEquals(1, tm.getAcceptedIssuers().length);
+      X509Certificate cert = tm.getAcceptedIssuers()[0];
+
+      OutputStream os = new FileOutputStream(corruptStore);
+      os.write(1);
+      os.close();
+      corruptStore.setLastModified(System.currentTimeMillis() - 1000);
+
+      // Wait so that the file modification time is different
+      Thread.sleep((tm.getReloadInterval() + 200));
+
+      assertEquals(1, tm.getAcceptedIssuers().length);
+      assertEquals(cert, tm.getAcceptedIssuers()[0]);
+    } finally {
+      tm.destroy();
+    }
+  }
+}
diff --git a/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java b/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java
new file mode 100644
index 0000000000000..3115c28939271
--- /dev/null
+++ b/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java
@@ -0,0 +1,235 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.spark.network.ssl;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.*;
+
+import org.bouncycastle.x509.X509V1CertificateGenerator;
+
+import org.apache.spark.network.util.ConfigProvider;
+import org.apache.spark.network.util.MapConfigProvider;
+
+
+/**
+ *
+ */
+public class SslSampleConfigs {
+
+  public static final String keyStorePath = getAbsolutePath("/keystore");
+  public static final String privateKeyPath = getAbsolutePath("/key.pem");
+  public static final String certChainPath = getAbsolutePath("/certchain.pem");
+  public static final String untrustedKeyStorePath = getAbsolutePath("/untrusted-keystore");
+  public static final String trustStorePath = getAbsolutePath("/truststore");
+
+
+  /**
+   * Creates a config map containing the settings needed to enable the RPC SSL feature
+   * All the settings (except the enabled one) are intentionally set on the parent namespace
+   * so that we can verify settings inheritance works
+   */
+  public static Map<String, String> createDefaultConfigMap() {
+    Map<String, String> confMap = new HashMap<String, String>();
+    confMap.put("spark.ssl.rpc.enabled", "true");
+    // Need this so the other settings get parsed
+    confMap.put("spark.ssl.enabled", "true");
+    confMap.put("spark.ssl.trustStoreReloadingEnabled", "false");
+    confMap.put("spark.ssl.openSslEnabled", "false");
+    confMap.put("spark.ssl.trustStoreReloadInterval", "10000");
+    confMap.put("spark.ssl.keyStore", SslSampleConfigs.keyStorePath);
+    confMap.put("spark.ssl.keyStorePassword", "password");
+    confMap.put("spark.ssl.privateKey", SslSampleConfigs.privateKeyPath);
+    confMap.put("spark.ssl.keyPassword", "password");
+    confMap.put("spark.ssl.certChain", SslSampleConfigs.certChainPath);
+    confMap.put("spark.ssl.trustStore", SslSampleConfigs.trustStorePath);
+    confMap.put("spark.ssl.trustStorePassword", "password");
+    return confMap;
+  }
+
+  /**
+   * Similar to the above, but sets the settings directly in the spark.ssl.rpc namespace
+   * This is needed for testing in the lower level modules (like network-common) where inheritance
+   * does not work as there is no access to SSLOptions.
+   */
+  public static Map<String, String> createDefaultConfigMapForRpcNamespace() {
+    Map<String, String> confMap = new HashMap<String, String>();
+    confMap.put("spark.ssl.rpc.enabled", "true");
+    confMap.put("spark.ssl.rpc.trustStoreReloadingEnabled", "false");
+    confMap.put("spark.ssl.rpc.openSslEnabled", "false");
+    confMap.put("spark.ssl.rpc.trustStoreReloadInterval", "10000");
+    confMap.put("spark.ssl.rpc.keyStore", SslSampleConfigs.keyStorePath);
+    confMap.put("spark.ssl.rpc.keyStorePassword", "password");
+    confMap.put("spark.ssl.rpc.privateKey", SslSampleConfigs.privateKeyPath);
+    confMap.put("spark.ssl.rpc.keyPassword", "password");
+    confMap.put("spark.ssl.rpc.certChain", SslSampleConfigs.certChainPath);
+    confMap.put("spark.ssl.rpc.trustStore", SslSampleConfigs.trustStorePath);
+    confMap.put("spark.ssl.rpc.trustStorePassword", "password");
+    return confMap;
+  }
+
+  /**
+   * Create ConfigProvider based on the method above
+   */
+  public static ConfigProvider createDefaultConfigProviderForRpcNamespace() {
+    return new MapConfigProvider(createDefaultConfigMapForRpcNamespace());
+  }
+
+  /**
+   * Create ConfigProvider based on the method above
+   */
+  public static ConfigProvider createDefaultConfigProviderForRpcNamespaceWithAdditionalEntries(
+      Map<String, String> entries) {
+    Map<String, String> confMap = createDefaultConfigMapForRpcNamespace();
+    confMap.putAll(entries);
+    return new MapConfigProvider(confMap);
+  }
+
+  public static void createTrustStore(
+    File trustStore, String password, String alias, Certificate cert)
+    throws GeneralSecurityException, IOException {
+    KeyStore ks = createEmptyKeyStore();
+    ks.setCertificateEntry(alias, cert);
+    saveKeyStore(ks, trustStore, password);
+  }
+
+  /**
+   * Creates a keystore with multiple keys and saves it to a file.
+   */
+  public static <T extends Certificate> void createTrustStore(
+    File trustStore, String password, Map<String, T> certs)
+    throws GeneralSecurityException, IOException {
+    KeyStore ks = createEmptyKeyStore();
+    for (Map.Entry<String, T> cert : certs.entrySet()) {
+      ks.setCertificateEntry(cert.getKey(), cert.getValue());
+    }
+    saveKeyStore(ks, trustStore, password);
+  }
+
+  /**
+   * Create a self-signed X.509 Certificate.
+   *
+   * @param dn        the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
+   * @param pair      the KeyPair
+   * @param days      how many days from now the Certificate is valid for
+   * @param algorithm the signing algorithm, eg "SHA1withRSA"
+   * @return the self-signed certificate
+   */
+  @SuppressWarnings("deprecation")
+  public static X509Certificate generateCertificate(
+      String dn, KeyPair pair, int days, String algorithm)
+      throws CertificateEncodingException, InvalidKeyException, IllegalStateException,
+      NoSuchAlgorithmException, SignatureException {
+
+    Date from = new Date();
+    Date to = new Date(from.getTime() + days * 86400000L);
+    BigInteger sn = new BigInteger(64, new SecureRandom());
+    KeyPair keyPair = pair;
+    X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
+    X500Principal dnName = new X500Principal(dn);
+
+    certGen.setSerialNumber(sn);
+    certGen.setIssuerDN(dnName);
+    certGen.setNotBefore(from);
+    certGen.setNotAfter(to);
+    certGen.setSubjectDN(dnName);
+    certGen.setPublicKey(keyPair.getPublic());
+    certGen.setSignatureAlgorithm(algorithm);
+
+    X509Certificate cert = certGen.generate(pair.getPrivate());
+    return cert;
+  }
+
+  public static KeyPair generateKeyPair(String algorithm)
+    throws NoSuchAlgorithmException {
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algorithm);
+    keyGen.initialize(1024);
+    return keyGen.genKeyPair();
+  }
+
+  /**
+   * Creates a keystore with a single key and saves it to a file.
+   *
+   * @param keyStore    File keystore to save
+   * @param password    String store password to set on keystore
+   * @param keyPassword String key password to set on key
+   * @param alias       String alias to use for the key
+   * @param privateKey  Key to save in keystore
+   * @param cert        Certificate to use as certificate chain associated to key
+   * @throws GeneralSecurityException for any error with the security APIs
+   * @throws IOException              if there is an I/O error saving the file
+   */
+  public static void createKeyStore(
+    File keyStore, String password, String keyPassword,
+    String alias, Key privateKey, Certificate cert)
+    throws GeneralSecurityException, IOException {
+    KeyStore ks = createEmptyKeyStore();
+    ks.setKeyEntry(alias, privateKey, keyPassword.toCharArray(),
+      new Certificate[]{cert});
+    saveKeyStore(ks, keyStore, password);
+  }
+
+  public static void createKeyStore(
+    File keyStore, String password,
+    String alias, Key privateKey, Certificate cert)
+    throws GeneralSecurityException, IOException {
+    KeyStore ks = createEmptyKeyStore();
+    ks.setKeyEntry(alias, privateKey, password.toCharArray(), new Certificate[]{cert});
+    saveKeyStore(ks, keyStore, password);
+  }
+
+  private static KeyStore createEmptyKeyStore()
+    throws GeneralSecurityException, IOException {
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    ks.load(null, null); // initialize
+    return ks;
+  }
+
+  private static void saveKeyStore(
+    KeyStore ks, File keyStore, String password)
+    throws GeneralSecurityException, IOException {
+    FileOutputStream out = new FileOutputStream(keyStore);
+    try {
+      ks.store(out, password.toCharArray());
+    } finally {
+      out.close();
+    }
+  }
+
+  public static String getAbsolutePath(String path) {
+    try {
+      return new File(SslSampleConfigs.class.getResource(path).getFile()).getCanonicalPath();
+    } catch (IOException e) {
+       throw new RuntimeException("Failed to resolve path " + path, e);
+    }
+  }
+}
diff --git a/common/network-common/src/test/resources/certchain.pem b/common/network-common/src/test/resources/certchain.pem
new file mode 100644
index 0000000000000..1004cacc9bf9a
--- /dev/null
+++ b/common/network-common/src/test/resources/certchain.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAZgCCQD7yXTHZWZZlDANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0EwHhcNMjMwNjIwMTczMjAzWhcNMzMwNjE3MTczMjAzWjAa
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDH4DO8IP/7xZgpzmYrBaqzsnpamq54cXP8JdQUOXP/dmh8myGg
+CUau/nNdpPNr1Od2iUvf1Z9OW+KcHdNAL/zcwe1ehU3d6/M+UinDtfbEb4HSyQ31
+9AIlPSUq+pJAlsAGJYERLGHPBNXEay0r0+TR0cd9CfSN79rXUMag40pZC3zdxXmY
+JpSkhNuiYfa+Z9TgXoki5MzNiyH12gAb9tO8tr55BnE5s/QujOp7LMjlf6VkE7Bp
+hqj1UbcHmFw7U9jyLDfi98uIvlEDFCwXARdmLxxaYAOqdgZ3TtjBvbugVRpRFQiw
+haFzkiok9bh+MclKQBKvF0ArHmMLHkcCd5oPAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBADYIPLwlnuH6rTbkjeZFYC2UXjNesbUe1TXbsBo9DDHJUSFjNNDDAUpSzhxb
+q6nMvex7tnTvTjAgOQR/qwAueAfcXHWe0EKvn4Y6yJERepSsYg5bSYBt+UJxW89R
+JRLmzBFxEJy1YhsqGCh+I2wRoRz8ZGokDyqcrAlwlzXYVDfNC4wUo14Cm+s90yc3
+2I/roX/MWec8QbEbr25psAYVnRdUL1mzCeQMc83A8Y0SDPfF5ECFhvFXkVaDTULO
+RddXWJoC4K5RuGa6yvpb75I8VTE3fwE2ykSgPuMShNZREDCuszkpPjjFumq9pCOJ
+nUO1huCqjxC1ehPe/9/jgmzoVX4=
+-----END CERTIFICATE-----
diff --git a/common/network-common/src/test/resources/key.pem b/common/network-common/src/test/resources/key.pem
new file mode 100644
index 0000000000000..77122755bfdaf
--- /dev/null
+++ b/common/network-common/src/test/resources/key.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQIGBIe7ugOgfACAggABIIEyJgkzYc/ixcvwLJC
+eTzGOVwk+F1cqM4H63FOxIjroaxisceqoBmty6Rf4PJ1C9nprkSs6G/SkupbNUUB
+YiWmsQ91orllbHsczAc+qaa0tmommwgt27ZrfXdXBxDB0mJWQTijkVHWfyTqcXmC
+oeWlvTFsilA4CoVakryZQScl3qH/aN5zazg9gjx2xNCRwFexeccC7TqICJkPtnJC
++6wrSby2A9HlJs/MdtYyhfN360GDKvQygnw+wQj+san8EV5s7I7b45SsdEx5vOxP
++AKc6h7loWJkLrJFqDGtfqY/TY76t+sQpinS7R3sA4uYaT1bIx8Feu0GcIbnr3NS
+54St9hNfOgEDmWKFj0ZmMTEISOujj8hNTKYdc0Z/dx/+izqNCuLEXiJjLDIPxfRJ
+EfeYG0/4fBxdeZgIwIVVsUXX4eSzXhguuiwulNhRkUzKhH9aNrp1fw5t0hgsJOPx
+O8Y2sAtDL6KUHx+rt0ejrHYXK1+BOUCHcZiHCGmLCCQlrcX5TWDYPkhtrbtbxS6m
+p9aVxq7pcyxelVlUBXtWeYvcOHGueEd7QQL16uYbhrTHFIwx2Pw//LNIgyJTBNu7
+hxm2jica15PaALtSsYDRhsE9VkWawW9AXeBWOnEj7YKrT5ejrQLI9eCxtolRbVNd
+gSR5r7MQkPssjCU+pdsCl98e0mxVnq8eMDtZYSIDGLEyPfJNCsxDanzUuxSfBP8K
+cIDzREINA/QiuhyGxxBB8dR6k+kl1LNVy8FA7RYAe84MLW2wuaFMQirMDtTLo/Wt
+/AatxW4WKlCvfd/nC8O5xlzmF5qffhgmS8xYDL/w1G3Uxo21dA4gGipH9uw91wqi
+YaSidtcVs6JbHpUddmO5AiEiSBbbwqNgaOxNdur1WYWZHDNWvCKL9sqQy/HtDLHy
+Tzyuw8GtrpB2BKfWWwbAApqvjcqgjitEXk2Nw/L3qWfWmVStP9ys5rz27UWRhMFi
+Go/HrVh7heOxK16ei5tp2OyRLSfDBZ7+IlpbbnR26BPdBE08cuBo/ELOfifnYTTS
+V4CKLMiG7RxtdAddkFKO+GgNW1nNHppBBhJzDvuBcFuUfB+AdnymZTlA8RFha7aW
+zwtg6I1ABdMGPn+wzMhkkutDtSCWpkBRddJPcB1mwmRdp/2WC3NxuaMQX3anQG36
+9m2sxWUmT8ZLGvFDHIwGbRPT5zzcvIJV/xhZdCxhg/7tgLikBZBB8TmtDBck+wq+
+DPIEQkr4rObCi9xphSpHvPBGhdI5v8xbKEGLcPzVMW0hjaHouvQipEXC+ASrn/sG
+nytZkyt1DD8KG27wlcrDl/RDCcjNvlKkgKPme3pPsDcD+qX+eqjQ4OM9AexW+VLZ
+ZUa84/Fh6yjbuPF3vtCVRwFJURzhKMVG3Fcs7C3iczCOUNDOar9k0yCrmbACF9Wm
+kSD5lXPXe1fFq0xi21Isuz+FH4A5CR/tHc2i+avQhYs9FvaqzLiaNmLaZKrhX5uy
+dJXYtLruhgwBjv4eo6GXm8/WHFG6r4iaq6NEimQoT41MH+uJr9nAiBWg397JoHpG
+jheCZDpZBAVuEz8NUdWP7mu64DQsjKeY6okwMlXlcSUKlMnx8QCtEMTj/JF7E7dT
+bHYe30+OIWl3X88v9Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/common/network-common/src/test/resources/keystore b/common/network-common/src/test/resources/keystore
new file mode 100644
index 0000000000000000000000000000000000000000..f8310e39ba1e07c7559e5724f522c06ca47f5787
GIT binary patch
literal 2247
zcmchYc{J1uAI9f5Gt8i|P1&wBlPn{@Y0#AI+9uMFEKS|9bCt<Vma)doSW;mK$yzZL
zMhPuL63H$jWsTBxE5;02B9g9i&-=dTp40#DAI~4p=dbU1&U2pcrf^dTfk2>J0{)TM
zX}X`!>67%Z@GWAuh_Ft8Kt!M*6TS&bii+!r0&qYVDgyu_5I7UgZ~dLDFFKbbe4NJ>
z8h*OOS9N;OWepcs>OGoE=zuk2V{*wI)Z_e}>Z@^h>_v>&7v=eK%-(UR|F2)6ifSZm
zB{$HW8@=O<)XbNH;_wk=FeM$Bjfx=?s>^D9Zr#6WTzln-!DYFW$=EZVD(3K>jS96w
z-f`E>K|`eE2uJ#EUlg%5TBw+iWJz5iySD{o5{Ul(C)@&^f0t&B->D-6`JH0%@@;s@
zjMngAG004|Ao+Z!S-#o>U%j;FhYZ-6+Sr%89Pdns-=>tD<cjKLOEFw$W`Y7iJ*w@l
z{<)#9NQ_z4oL%jGClKweSk8K2b+MsshLSJE(dK>GRpP7IeZ?->$L-DANQrdWKTa;0
zluk^040v;S@5DL7!>L;M8&vwCZAjLK*vpGqYx~-VYZs+3mb>>RYt{axVJiP>$3Y|}
zz*eB_iPWr6Tc->>lU_2dn3A0UZrr!p`Ly9<<lc^`K}#n@@RG4qeTf{LV8Z^btG&_y
zGFSDwx3u{?r_3fn<t}&jk;8XJ!R)ZkpEIXW!B{Hg%&{rMhKG*OsZqs+<0IiZRN6GG
z)Nyb;BKE6D+i7*x8|9Ch?J#Ckm}fQl?Kn2O$Xu@%qn|o&?<S3kz<ULPf|rby?x3+m
zt+T<2gXj`Y$EU{DK6BrOA6(b#yk#Fn=hp28<eCIEEr<9BMg}yIy^}Wd+_oK`6?C9S
zMLt@$jA)Md@FMcW$CbhxCi!}*U)7IThxXctyouJP1Raj2m{qRMN~*EHdRbL<Hyam5
znJQ!+ZVDv|Vl@xVt+lY96y$tka9lAm!Fzh1h4jS86Kgz4X??d`rro%ME5|hK$qmU_
zYExs4G?_3|W8^}(Tf_(5wZ{fZ1u;XUZ^a&q6d&i`cIQgIo-cmbU<6pY*lQ!Rv-V#K
zb>%d%n&X#yvmACj3LY^dq?e=FaqJ!`fkB(%M!T4bA&bADq%;%h1-L)a{YF#I>*n5;
zXt7P-gtHyc-1yawv9;te^CLkar+P2}c`q>)=Cwt62se##oHtS0qXNZJW*YMjnTYe|
z1W+lZjRJ<oix>NxO-J~$3RTEpZS0TIp!w}_nOBXJ>YGGE1!<NnYgKh^XFog_VFoT$
z`_~*TpS)Ia?ZP@fM8sD2>=AA8t_d9vGYswy&Plo@H7BgF?Rr;IN}~I_OZ5AE?Xc>e
zduB^$Zl^0#&4F^xR^%KivoAj*R)05F<5T{9#!cLae!D`i$@(i5VdKPs;vD6ow-Pa0
zmfi>Du&L;*jI`*2mxHbvy2C)a@EF^M?KmG1vd1J;hO<00q<gYyWYEfRIN1|-F~%X~
z`{Hc?NwSk6swt3?GGNGyHctaA4D>{Ea0+F@!vpWZUoIem_pk7QGFApU$XWEZyP!S$
zy2#@wW_snjaE*mkb%s`~Ur~W0n&f9pXRDv9^a`mg8=d@ECh_CSHJ#du`ah#SxB9W1
z-p<Aj%6OF|2tj234Hxe$GBqPntjPDm(SFo{EAsCUG^i2vjP2B#_GaK`^H-ieT6X(x
zS%jR?E3^~1=gOsS>b!}YxjkPKt*mOLDS3IRD~MerwrgiggePgez$MStIAG30Vaz+z
znP5Kohc09y*(6S=bZ0;6*@CtY{i164xeX%S<NYU9!e#a8FkhEy+Zbu)Rd(?|<0wMj
zV+8JpKwz;T6BY?Fp<dTvPyh;rJ0Bq31W}@5x+!)kt0(}F5P^WFanf6p33G#sq7iO1
zDvcgV`!7NML=Zm_@t=sqPXzWq0;<ZRaE3S#B<#iGK)m6JEo%hgK;!?||MN9WVCTQ%
z*!mVQCLjd?nSeNy2>_5pQfMC@N!nO0wH%Xtuc`Uu_?pnpJ3cKSbR^Nesz@fkeg8K_
zTJ35i8GW{Bgm&Uy_A)8Ar>TC8<!?Hg5>0v~KUm51AD4|t?pz-*InPU(xFwfe7aK@-
z&`sYxAFsV#57|9oUhntf^%Ms6?u7Ik>%Ezi3GO{ccd<h=6x`H>$K+?Z=*8-c9HP#s
zOrXfNhRKwkI)1xzMcTvsXTrA@mGdnR9#$e8BDNj1us(Rjp^I@0JHr=J9h*keYb@4`
zEbRm4_$*5QRieRoP)JDy&5{>VVsBkDRg>0s_n`ei%|c)v!>9n^H~H}eLNotr3B^*=
z{jjq6yqK``^Vn@D41fS-8lW1evegh3Nw^$*J9JmC0%UznnvdunEUWXJm7jB#`FDt0
zo!SZ!fDlyn__i1(A!8e5JfGHGYq#O59PYAPUd^G9FA4GLhdQU@y3_KivZwp9e#sjZ
z1)6E~Py4647bJ-*g&tbSSqXlAo`|VY0-a#1EcqqpmY_MpMl0!c@gNTqd?DPoAC6{F
zX#Czw>93?(`H$;NoCL46jICSrt~xR}wNV^~dn<|;)#U(7hP$oGOzs-~AvLGK&g0zM
zw^?bP=4NGFJ3;N}QsShyk0XSs?LW@9d~Sxj?AVZ{pOtdaJ7!gP>dq$(AFE$ic(QF_
zMtzQi_+9hZzoOnZ-qFt&6a;ssvcmgs))|WiZVphZ+9n#oo9dzuTg|>3rcC)~XD4Ad
ZwPrecI^>>DS9jrYAM6Ze@sCox{su3o&c*-$

literal 0
HcmV?d00001

diff --git a/common/network-common/src/test/resources/truststore b/common/network-common/src/test/resources/truststore
new file mode 100644
index 0000000000000000000000000000000000000000..a6b1d46e1f391995553771665934518114892962
GIT binary patch
literal 957
zcmezO_TO6u1_mY|W(3omIr+(nIT`uIB|s66PaJ187+53pObsj<7?`UKnwZNCnwa7j
zFf%bSF|h<%`7Sl!W#iOp^Jx3d%gD&h%3zRVC}6<H#vIDRCd?k1mz|eio(B`*zz|`_
z5aGfQ;l>bQhKm@;iSrto7#bK@7#SNH7@I@^xuyn&24+w$on6z!sDvCGjI0dIO^o~u
z22G4yOihf849&hp=Zrag|9n~Gc#H3$vhv=@pKm=9>UvU(ZZwCjnIky!nB{NDyiMQB
zBZO<_+{laCF!_t`)YJQR{_Ib&x!G3fds+PIs-~1XLS?NdeqFL|Ki_tDnb_pb)#>@(
zTD|J;>oi2PIZoZR+nId!%3~GY`%wb7osA|uXbd}Tx=!cX%NWDQox39rO%?vMzHf?~
z=1swLR-RoC+D>nNbu4gY&$gL|-rloc_5R@2ZL8S5%Xot9o!zH-pDYd6dHL#Xw%@*+
zy&LU+nmT%>zI)Xlb76*?{++DCc`NfA&lk?~bl&)QW6#lb?w*%6eoUWUYC4NO`N6ZZ
z?8-A|%!_eU4)c+*d(ZiH(T7{hnV1<F7#AxV$Q#H4Q-~}dix`Utlj<1>hF?DgUa_CL
zx_EQkYw>r1g2;ggOjE!>WMr_A)k`{P(!x=_M=);x=K055cF6ji^!W09N=!ueTVn;U
z6EA8{^-Nzg`Ng@3($jCUF&@a<x&Ok8Qy=-<zRiwR<9N;eYUXrS8`H*o3s)JwuTz%2
zIZ)=J)^cU;)$=O3oh3;ZScFSs@?M?k?!C-^_|@*s*8Xp<sF^t*)Sls2x_VQ^>e8^o
zyyq)UdNa4Ognk!%pnCm3|2v5#(^qdW|F_DnC)CMo)7|XjC#6>R9=pT-w&U3U_Jbb|
zump?#5z4RO57rKM+MK!exniP|!?*K7M~h9*`B~JdzSntD@o>*t-I;G@<(}y1FS)RE
zvl(0Zzf0L`j^5p4uvCF<+hN<kCT)*XCQokB`M3FKhO0_L)r)TtxgK7R-&#o=x-kg=
DWo>hw

literal 0
HcmV?d00001

diff --git a/common/network-common/src/test/resources/untrusted-keystore b/common/network-common/src/test/resources/untrusted-keystore
new file mode 100644
index 0000000000000000000000000000000000000000..6015b02caa12817721fca3a83c8e58338b6d9aeb
GIT binary patch
literal 2246
zcmchYS5VUl7sc~W0)Ye-=~4xxg#Zav3<BbYq7-2TvQiAPfJ;JCiUxxasvxL<St&|0
zfK(+A5Qvn}r37$LK$=LC4og#Hm)ZHgot^Q0AI{9Zzo$EA&YXL&e6S1xfxw3X{uVFE
z&)to5-S1}LAu->8z3~KrxBxU2`W=0g8?MR?KmjE9H~?^gpj7C>T*;?*E%{fv1t#2A
zw<uTn^PFy?W0TjZ)1+so^L_N9y<xMp{xNOW6eBSu`Nw42<<ExjnGwct1$Mo7r)NCW
z4R)nH{$}D!2{>mzrvHqay1&t+Fi_Z+)w1n4H+Y%AMXJ&rSoCSXIQW|Hr+fhOC{~-z
zRlY#ibR-jPTxR#)AT!BEO?ezTUwe>&ocp&K#iX4G4x}&l;Dj))1SC+yocOHP<E%NV
zQS!hQ(?@y!J70d9$&l*}MjR)zQE@36diUMf3NIaHC(m});MI~95!cxDM*0E*OX<t8
z6+7;6EW7OOYSCSs(Fc;H(WGrNbjmdWm`aJbdz>Kcyd#4h$$Ysx{PW2wSrMAGjmd{>
zmZKc2Dyf?4ujwLhFCx*5Hx~U|Z)4cF@ukC(ds5*mRqTjW<hM2lY|#3UYbjq%tYEC}
z)6zbbR9?h@9zN6Q-isG?iyhO}t!wFup!YJS&sOz}VNvIY$<_O~lXGdki4zw$97V7z
zj{Q%wc85NiS}8+F;L-q3@`kvVd&+9S{a;Y5QCY)M@Gh>ZQ!rEzURPjf;fj^#543K+
z!ssm8re)p<nag8a&g6D@cy$#BzNfh{iNP^ENv(UhfUJOT&0nmg1)VC1X(4I`^v{92
z3k3Jp{we-T7b@8t)h{-#iZe(yQbJxh2V?THkdy2wb)z>qzo9BLWxDF++<UKQ4YM95
z#>xd2(u`*)aHlZZpG29)-s8jv^L!<=2n_lp*^DBVw#MvPDYjjU59hk-*=5ySF?<g;
zRZR}u*VtrFx^!Irb^VT6r-I}bKHRkhB>;vN-zN<FFW+8xsyms3dufmD>ZGbmhBK9h
zT^c^=AHxzXuw5SuT_j1a9=(n&J?~VzvG}qlOYj8&6PtlOG82v{Ls5creeldHDY=n}
z6NS98Hi+3%9-T{Nl<}Y`*yL)P*pyGtkkOKUx$aHwg>deSRCRDu3S_Bt*qYqP;^=vW
z>Sial$32p`22-|}%Wtf09n<D{)ynKi|CAtg`udG)&V3iph2We(0~XOCR>6kxR~g&{
z;kf$;?1pyH#legE8IIWJMw1!v9A-Bq$dIyn#d<qpt2oiTwX<Ml2{G@X8vAH<Kyt6E
zGhs*ZA|Ry0xse9hbP1E_>=DTZcOxsMZN<8A29U{XY8FE^^?*t(;Wc9KRLxuFXiP-G
z>e>s*`P%O)W#bh}MOrv+{^3tN%a_tNb9D8h>-eF{WYv1B{AL3=1%=#OJh|?KR$7@~
zM1%siVBJLAn~Pz$VnIy*@}LG*a&*qN<%mI`Z<UYf_s34HcjxuUvS;VglINe;ns&X*
z8mvnYB1(BO5c?10K%$GATJl>Qi8>jN6Bzl5(ULw7YAmA5UoEllgU<Gy!UK`5*>Du`
zAewV|((5eVYOO+`<3sL2d)BS_Mok%KAB6q1*Jc7zF$H5nC_yMo`6_U&c?)aPk4b$z
zk=~H8I#D$8!fS_4;uOVeZ*ca0M>wc+><Xl@Q5P5@@u~GWapDb+i!~YA&5a>X_;202
zht3{zS6QTZ`z}%LI2uqFW?YIRHI*33>s?|kWxkxSkI|mB{+aCe>R$D#3C_eDcm?~4
z04*s~%RJne@gR@YM1zFG)0DX;`R-ZeVAqWJ<toEi7Qfr=Gj?<*^YXvDkqfV`gVqOu
zAfad~Bm_+bU(JSq0WcU!x*ql$`Up2KGR8b+=Li5GxIkzUhX1fJA@)#iL72TS(bq4;
z_y2_F2Lk(nz<(f!9|+_hf|eFNg3-pH(Wf=FFc`G%mBUpBeK`DY{g1Dq0&@Sh<M3HP
zsK7B0nhL<dQ~&@yEJ6f8MqJ)(O0eES5lVrPMwQKeHsbiu&*NdAK&fuG+ieLjGww^X
z*5L-wN@kLApo+kS6^EOXle1^(!XoIQ6yuIk{`I&`>izOR@=|SzH@w)|jt`!(`wOVk
zU(Gc+<B#}9{Q~tL>3x6OSUy2;rv#hrK`;koo{3~F+?Lz<_V{4;1#8arvZ&0V8@AqY
z%gOfdX610i{YAs|(!9Q+SL{EgzRT#t9JFQIGR2S`6VaKXbv2cJ2H)BOR*n|BK8B>J
zu4T{_d4E~Njm&*(N{Lz*K3`qRFrPLYtX(hoRRuEpLT4<dPn48=qGo1;+DR!=`>Gjc
z7p!#ttliZeFa!Vrd9r93wA5ijq>e&GphCV$=V%&Tr1x)APN~~@unO~heb4>d#KTM-
znh1b2&I@^pv~P&tiq}$Qc2}5{Y1K+f=lfqETn=T3E>iK(`_W8&jcZK}2tO)n$}*DS
zW9s~&EeO=mYgrtHq(vr!#h3NAy`7YJ8V0q&`(N)hb2~hoF87PZRGUk~lN{xCT(jsw
z;Yp@T1SAT~KqTCb3a(cP)&1DNK4h=JduK2)s(9XTV?-4(76KO@#|t*-6s2Dl=w}?&
z`IEOv)DCjYr5eow*?MXh8OBgmy;!t>iQ6;NbaZ0pfS*It8}lB6l1(9$AdKemI=5q_
z{7jO%*zS`ZmPK|=YMq+2r-Np*`16dZu!n^|WkFZrL^nhKO<UWS!WwEQf7a-$W)tGG
VOI=$`4oZ<Jmfv_H%^$uo{ueBW-1z_i

literal 0
HcmV?d00001

diff --git a/common/network-shuffle/src/main/java/org/apache/spark/network/shuffle/ShuffleTransportContext.java b/common/network-shuffle/src/main/java/org/apache/spark/network/shuffle/ShuffleTransportContext.java
index 39ddf2c2a7ed6..76eb5a2c58342 100644
--- a/common/network-shuffle/src/main/java/org/apache/spark/network/shuffle/ShuffleTransportContext.java
+++ b/common/network-shuffle/src/main/java/org/apache/spark/network/shuffle/ShuffleTransportContext.java
@@ -20,6 +20,7 @@
 import java.nio.ByteBuffer;
 import java.util.List;
 
+import com.google.common.annotations.VisibleForTesting;
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.Unpooled;
 import io.netty.channel.ChannelHandlerContext;
@@ -52,7 +53,8 @@
  * */
 public class ShuffleTransportContext extends TransportContext {
   private static final Logger logger = LoggerFactory.getLogger(ShuffleTransportContext.class);
-  private static final ShuffleMessageDecoder SHUFFLE_DECODER =
+  @VisibleForTesting
+  protected static ShuffleMessageDecoder SHUFFLE_DECODER =
       new ShuffleMessageDecoder(MessageDecoder.INSTANCE);
   private final EventLoopGroup finalizeWorkers;
 
@@ -81,16 +83,16 @@ public ShuffleTransportContext(TransportConf conf,
   }
 
   @Override
-  public TransportChannelHandler initializePipeline(SocketChannel channel) {
-    TransportChannelHandler ch = super.initializePipeline(channel);
+  public TransportChannelHandler initializePipeline(SocketChannel channel, boolean isClient) {
+    TransportChannelHandler ch = super.initializePipeline(channel, isClient);
     addHandlerToPipeline(channel, ch);
     return ch;
   }
 
   @Override
   public TransportChannelHandler initializePipeline(SocketChannel channel,
-      RpcHandler channelRpcHandler) {
-    TransportChannelHandler ch = super.initializePipeline(channel, channelRpcHandler);
+      RpcHandler channelRpcHandler, boolean isClient) {
+    TransportChannelHandler ch = super.initializePipeline(channel, channelRpcHandler, isClient);
     addHandlerToPipeline(channel, ch);
     return ch;
   }
diff --git a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleIntegrationSuite.java b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleIntegrationSuite.java
index 49d02e5dc6fb4..81952797832ef 100644
--- a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleIntegrationSuite.java
+++ b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleIntegrationSuite.java
@@ -32,7 +32,6 @@
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;
 
-import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Sets;
 import org.apache.spark.network.buffer.FileSegmentManagedBuffer;
 import org.apache.spark.network.server.OneForOneStreamManager;
@@ -57,11 +56,11 @@ public class ExternalShuffleIntegrationSuite {
   private static final String APP_ID = "app-id";
   private static final String SORT_MANAGER = "org.apache.spark.shuffle.sort.SortShuffleManager";
 
-  private static final int RDD_ID = 1;
-  private static final int SPLIT_INDEX_VALID_BLOCK = 0;
+  protected static final int RDD_ID = 1;
+  protected static final int SPLIT_INDEX_VALID_BLOCK = 0;
   private static final int SPLIT_INDEX_MISSING_FILE = 1;
-  private static final int SPLIT_INDEX_CORRUPT_LENGTH = 2;
-  private static final int SPLIT_INDEX_VALID_BLOCK_TO_RM = 3;
+  protected static final int SPLIT_INDEX_CORRUPT_LENGTH = 2;
+  protected static final int SPLIT_INDEX_VALID_BLOCK_TO_RM = 3;
   private static final int SPLIT_INDEX_MISSING_BLOCK_TO_RM = 4;
 
   // Executor 0 is sort-based
@@ -86,6 +85,17 @@ public class ExternalShuffleIntegrationSuite {
     new byte[54321],
   };
 
+  private static TransportConf createTransportConf(String maxRetries, String rddEnabled) {
+    HashMap<String, String> config = new HashMap<>();
+    config.put("spark.shuffle.io.maxRetries", maxRetries);
+    config.put(Constants.SHUFFLE_SERVICE_FETCH_RDD_ENABLED, rddEnabled);
+    return new TransportConf("shuffle", new MapConfigProvider(config));
+  }
+
+  protected TransportConf createTransportConfForFetchNoServerTest() {
+    return createTransportConf("0", "false");
+  }
+
   @BeforeClass
   public static void beforeAll() throws IOException {
     Random rand = new Random();
@@ -105,10 +115,7 @@ public static void beforeAll() throws IOException {
     dataContext0.insertCachedRddData(RDD_ID, SPLIT_INDEX_VALID_BLOCK, exec0RddBlockValid);
     dataContext0.insertCachedRddData(RDD_ID, SPLIT_INDEX_VALID_BLOCK_TO_RM, exec0RddBlockToRemove);
 
-    HashMap<String, String> config = new HashMap<>();
-    config.put("spark.shuffle.io.maxRetries", "0");
-    config.put(Constants.SHUFFLE_SERVICE_FETCH_RDD_ENABLED, "true");
-    conf = new TransportConf("shuffle", new MapConfigProvider(config));
+    conf = createTransportConf("0", "true");
     handler = new ExternalBlockHandler(
       new OneForOneStreamManager(),
       new ExternalShuffleBlockResolver(conf, null) {
@@ -321,8 +328,7 @@ public void testFetchUnregisteredExecutor() throws Exception {
 
   @Test
   public void testFetchNoServer() throws Exception {
-    TransportConf clientConf = new TransportConf("shuffle",
-      new MapConfigProvider(ImmutableMap.of("spark.shuffle.io.maxRetries", "0")));
+    TransportConf clientConf = createTransportConfForFetchNoServerTest();
     registerExecutor("exec-0", dataContext0.createExecutorInfo(SORT_MANAGER));
     FetchResult execFetch = fetchBlocks("exec-0",
       new String[]{"shuffle_1_0_0", "shuffle_1_0_1"}, clientConf, 1 /* port */);
diff --git a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleSecuritySuite.java b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleSecuritySuite.java
index c52ac3112ed00..739dfb3975878 100644
--- a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleSecuritySuite.java
+++ b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ExternalShuffleSecuritySuite.java
@@ -39,10 +39,19 @@
 
 public class ExternalShuffleSecuritySuite {
 
-  TransportConf conf = new TransportConf("shuffle", MapConfigProvider.EMPTY);
+  TransportConf conf = createTransportConf(false);
   TransportServer server;
   TransportContext transportContext;
 
+  protected TransportConf createTransportConf(boolean encrypt) {
+    if (encrypt) {
+      return new TransportConf("shuffle", new MapConfigProvider(
+        ImmutableMap.of("spark.authenticate.enableSaslEncryption", "true")));
+    } else {
+      return new TransportConf("shuffle", MapConfigProvider.EMPTY);
+    }
+  }
+
   @Before
   public void beforeEach() throws IOException {
     transportContext = new TransportContext(conf, new ExternalBlockHandler(conf, null));
@@ -92,8 +101,7 @@ private void validate(String appId, String secretKey, boolean encrypt)
         throws IOException, InterruptedException {
     TransportConf testConf = conf;
     if (encrypt) {
-      testConf = new TransportConf("shuffle", new MapConfigProvider(
-        ImmutableMap.of("spark.authenticate.enableSaslEncryption", "true")));
+      testConf = createTransportConf(encrypt);
     }
 
     try (ExternalBlockStoreClient client =
diff --git a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ShuffleTransportContextSuite.java b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ShuffleTransportContextSuite.java
index 1c8c5b33bd98b..dc67a5693e7d5 100644
--- a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ShuffleTransportContextSuite.java
+++ b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/ShuffleTransportContextSuite.java
@@ -31,6 +31,7 @@
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.channel.socket.SocketChannel;
 
+import org.apache.spark.network.protocol.*;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -39,10 +40,6 @@
 import static org.mockito.Mockito.when;
 
 import org.apache.spark.network.buffer.NioManagedBuffer;
-import org.apache.spark.network.protocol.Message;
-import org.apache.spark.network.protocol.MessageEncoder;
-import org.apache.spark.network.protocol.MessageWithHeader;
-import org.apache.spark.network.protocol.RpcRequest;
 import org.apache.spark.network.server.RpcHandler;
 import org.apache.spark.network.shuffle.protocol.BlockTransferMessage;
 import org.apache.spark.network.shuffle.protocol.FinalizeShuffleMerge;
@@ -60,13 +57,16 @@ public void before() throws IOException {
     blockHandler = mock(ExternalBlockHandler.class);
   }
 
-  ShuffleTransportContext createShuffleTransportContext(boolean separateFinalizeThread)
-      throws IOException {
+  protected TransportConf createTransportConf(boolean separateFinalizeThread) {
     Map<String, String> configs = new HashMap<>();
     configs.put("spark.shuffle.server.finalizeShuffleMergeThreadsPercent",
-        separateFinalizeThread ? "1" : "0");
-    TransportConf transportConf = new TransportConf("shuffle",
-        new MapConfigProvider(configs));
+      separateFinalizeThread ? "1" : "0");
+    return new TransportConf("shuffle", new MapConfigProvider(configs));
+  }
+
+  ShuffleTransportContext createShuffleTransportContext(boolean separateFinalizeThread)
+      throws IOException {
+    TransportConf transportConf = createTransportConf(separateFinalizeThread);
     return new ShuffleTransportContext(transportConf, blockHandler, true);
   }
 
@@ -90,15 +90,22 @@ private ByteBuf getDecodableMessageBuf(Message req) throws Exception {
   public void testInitializePipeline() throws IOException {
     // SPARK-43987: test that the FinalizedHandler is added to the pipeline only when configured
     for (boolean enabled : new boolean[]{true, false}) {
-      ShuffleTransportContext ctx = createShuffleTransportContext(enabled);
-      SocketChannel channel = new NioSocketChannel();
-      RpcHandler rpcHandler = mock(RpcHandler.class);
-      ctx.initializePipeline(channel, rpcHandler);
-      String handlerName = ShuffleTransportContext.FinalizedHandler.HANDLER_NAME;
-      if (enabled) {
-        Assert.assertNotNull(channel.pipeline().get(handlerName));
-      } else {
-        Assert.assertNull(channel.pipeline().get(handlerName));
+      for (boolean isClient: new boolean[]{true, false}) {
+        // Since the decoder is not Shareable, reset it between test runs to avoid errors since it's
+        // used both across ShuffleTransportContextSuite and SslShuffleTransportContextSuite
+        // and server/clients
+        ShuffleTransportContext.SHUFFLE_DECODER = new ShuffleTransportContext.ShuffleMessageDecoder(
+          MessageDecoder.INSTANCE);
+        ShuffleTransportContext ctx = createShuffleTransportContext(enabled);
+        SocketChannel channel = new NioSocketChannel();
+        RpcHandler rpcHandler = mock(RpcHandler.class);
+        ctx.initializePipeline(channel, rpcHandler, isClient);
+        String handlerName = ShuffleTransportContext.FinalizedHandler.HANDLER_NAME;
+        if (enabled) {
+          Assert.assertNotNull(channel.pipeline().get(handlerName));
+        } else {
+          Assert.assertNull(channel.pipeline().get(handlerName));
+        }
       }
     }
   }
diff --git a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleIntegrationSuite.java b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleIntegrationSuite.java
new file mode 100644
index 0000000000000..7b8d7bccf5013
--- /dev/null
+++ b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleIntegrationSuite.java
@@ -0,0 +1,95 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.network.shuffle;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Random;
+
+import org.apache.spark.network.buffer.FileSegmentManagedBuffer;
+import org.apache.spark.network.buffer.ManagedBuffer;
+import org.apache.spark.network.server.OneForOneStreamManager;
+import org.junit.BeforeClass;
+
+import org.apache.spark.network.TransportContext;
+import org.apache.spark.network.util.TransportConf;
+import org.apache.spark.network.ssl.SslSampleConfigs;
+
+public class SslExternalShuffleIntegrationSuite extends ExternalShuffleIntegrationSuite {
+
+  private static TransportConf createTransportConf(String maxRetries, String rddEnabled) {
+    HashMap<String, String> config = new HashMap<>();
+    config.put("spark.shuffle.io.maxRetries", maxRetries);
+    config.put(Constants.SHUFFLE_SERVICE_FETCH_RDD_ENABLED, rddEnabled);
+    return new TransportConf(
+      "shuffle",
+      SslSampleConfigs.createDefaultConfigProviderForRpcNamespaceWithAdditionalEntries(config)
+    );
+  }
+
+  @Override
+  protected TransportConf createTransportConfForFetchNoServerTest() {
+    return createTransportConf("0", "false");
+  }
+
+  @BeforeClass
+  public static void beforeAll() throws IOException {
+    Random rand = new Random();
+
+    for (byte[] block : exec0Blocks) {
+      rand.nextBytes(block);
+    }
+    for (byte[] block: exec1Blocks) {
+      rand.nextBytes(block);
+    }
+    rand.nextBytes(exec0RddBlockValid);
+    rand.nextBytes(exec0RddBlockToRemove);
+
+    dataContext0 = new TestShuffleDataContext(2, 5);
+    dataContext0.create();
+    dataContext0.insertSortShuffleData(0, 0, exec0Blocks);
+    dataContext0.insertCachedRddData(RDD_ID, SPLIT_INDEX_VALID_BLOCK, exec0RddBlockValid);
+    dataContext0.insertCachedRddData(RDD_ID, SPLIT_INDEX_VALID_BLOCK_TO_RM, exec0RddBlockToRemove);
+
+    conf = SslExternalShuffleIntegrationSuite.createTransportConf("0", "true");
+    handler = new ExternalBlockHandler(
+      new OneForOneStreamManager(),
+      new ExternalShuffleBlockResolver(conf, null) {
+        @Override
+        public ManagedBuffer getRddBlockData(String appId, String execId, int rddId, int splitIdx) {
+          ManagedBuffer res;
+          if (rddId == RDD_ID) {
+            switch (splitIdx) {
+              case SPLIT_INDEX_CORRUPT_LENGTH:
+                res = new FileSegmentManagedBuffer(
+                  conf, new File("missing.file"), 0, 12);
+                break;
+              default:
+                res = super.getRddBlockData(appId, execId, rddId, splitIdx);
+            }
+          } else {
+            res = super.getRddBlockData(appId, execId, rddId, splitIdx);
+          }
+          return res;
+        }
+    });
+    transportContext = new TransportContext(conf, handler);
+    server = transportContext.createServer();
+  }
+}
diff --git a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleSecuritySuite.java b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleSecuritySuite.java
new file mode 100644
index 0000000000000..061d63dbcd72d
--- /dev/null
+++ b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslExternalShuffleSecuritySuite.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.network.shuffle;
+
+import com.google.common.collect.ImmutableMap;
+
+import org.apache.spark.network.ssl.SslSampleConfigs;
+import org.apache.spark.network.util.TransportConf;
+
+public class SslExternalShuffleSecuritySuite extends ExternalShuffleSecuritySuite {
+
+  @Override
+  protected TransportConf createTransportConf(boolean encrypt) {
+    if (encrypt) {
+      return new TransportConf(
+        "shuffle",
+        SslSampleConfigs.createDefaultConfigProviderForRpcNamespaceWithAdditionalEntries(
+          ImmutableMap.of(
+          "spark.authenticate.enableSaslEncryption",
+          "true")
+        )
+      );
+    } else {
+      return new TransportConf(
+        "shuffle",
+        SslSampleConfigs.createDefaultConfigProviderForRpcNamespace()
+      );
+    }
+  }
+}
diff --git a/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslShuffleTransportContextSuite.java b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslShuffleTransportContextSuite.java
new file mode 100644
index 0000000000000..51463bbad5576
--- /dev/null
+++ b/common/network-shuffle/src/test/java/org/apache/spark/network/shuffle/SslShuffleTransportContextSuite.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.network.shuffle;
+
+import com.google.common.collect.ImmutableMap;
+
+import org.apache.spark.network.ssl.SslSampleConfigs;
+import org.apache.spark.network.util.TransportConf;
+
+public class SslShuffleTransportContextSuite extends ShuffleTransportContextSuite {
+
+  @Override
+  protected TransportConf createTransportConf(boolean separateFinalizeThread) {
+    return new TransportConf(
+      "shuffle",
+      SslSampleConfigs.createDefaultConfigProviderForRpcNamespaceWithAdditionalEntries(
+        ImmutableMap.of(
+          "spark.shuffle.server.finalizeShuffleMergeThreadsPercent",
+          separateFinalizeThread ? "1" : "0")
+      )
+    );
+  }
+}
diff --git a/common/network-shuffle/src/test/resources/certchain.pem b/common/network-shuffle/src/test/resources/certchain.pem
new file mode 100644
index 0000000000000..1004cacc9bf9a
--- /dev/null
+++ b/common/network-shuffle/src/test/resources/certchain.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAZgCCQD7yXTHZWZZlDANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0EwHhcNMjMwNjIwMTczMjAzWhcNMzMwNjE3MTczMjAzWjAa
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDH4DO8IP/7xZgpzmYrBaqzsnpamq54cXP8JdQUOXP/dmh8myGg
+CUau/nNdpPNr1Od2iUvf1Z9OW+KcHdNAL/zcwe1ehU3d6/M+UinDtfbEb4HSyQ31
+9AIlPSUq+pJAlsAGJYERLGHPBNXEay0r0+TR0cd9CfSN79rXUMag40pZC3zdxXmY
+JpSkhNuiYfa+Z9TgXoki5MzNiyH12gAb9tO8tr55BnE5s/QujOp7LMjlf6VkE7Bp
+hqj1UbcHmFw7U9jyLDfi98uIvlEDFCwXARdmLxxaYAOqdgZ3TtjBvbugVRpRFQiw
+haFzkiok9bh+MclKQBKvF0ArHmMLHkcCd5oPAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBADYIPLwlnuH6rTbkjeZFYC2UXjNesbUe1TXbsBo9DDHJUSFjNNDDAUpSzhxb
+q6nMvex7tnTvTjAgOQR/qwAueAfcXHWe0EKvn4Y6yJERepSsYg5bSYBt+UJxW89R
+JRLmzBFxEJy1YhsqGCh+I2wRoRz8ZGokDyqcrAlwlzXYVDfNC4wUo14Cm+s90yc3
+2I/roX/MWec8QbEbr25psAYVnRdUL1mzCeQMc83A8Y0SDPfF5ECFhvFXkVaDTULO
+RddXWJoC4K5RuGa6yvpb75I8VTE3fwE2ykSgPuMShNZREDCuszkpPjjFumq9pCOJ
+nUO1huCqjxC1ehPe/9/jgmzoVX4=
+-----END CERTIFICATE-----
diff --git a/common/network-shuffle/src/test/resources/key.pem b/common/network-shuffle/src/test/resources/key.pem
new file mode 100644
index 0000000000000..77122755bfdaf
--- /dev/null
+++ b/common/network-shuffle/src/test/resources/key.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQIGBIe7ugOgfACAggABIIEyJgkzYc/ixcvwLJC
+eTzGOVwk+F1cqM4H63FOxIjroaxisceqoBmty6Rf4PJ1C9nprkSs6G/SkupbNUUB
+YiWmsQ91orllbHsczAc+qaa0tmommwgt27ZrfXdXBxDB0mJWQTijkVHWfyTqcXmC
+oeWlvTFsilA4CoVakryZQScl3qH/aN5zazg9gjx2xNCRwFexeccC7TqICJkPtnJC
++6wrSby2A9HlJs/MdtYyhfN360GDKvQygnw+wQj+san8EV5s7I7b45SsdEx5vOxP
++AKc6h7loWJkLrJFqDGtfqY/TY76t+sQpinS7R3sA4uYaT1bIx8Feu0GcIbnr3NS
+54St9hNfOgEDmWKFj0ZmMTEISOujj8hNTKYdc0Z/dx/+izqNCuLEXiJjLDIPxfRJ
+EfeYG0/4fBxdeZgIwIVVsUXX4eSzXhguuiwulNhRkUzKhH9aNrp1fw5t0hgsJOPx
+O8Y2sAtDL6KUHx+rt0ejrHYXK1+BOUCHcZiHCGmLCCQlrcX5TWDYPkhtrbtbxS6m
+p9aVxq7pcyxelVlUBXtWeYvcOHGueEd7QQL16uYbhrTHFIwx2Pw//LNIgyJTBNu7
+hxm2jica15PaALtSsYDRhsE9VkWawW9AXeBWOnEj7YKrT5ejrQLI9eCxtolRbVNd
+gSR5r7MQkPssjCU+pdsCl98e0mxVnq8eMDtZYSIDGLEyPfJNCsxDanzUuxSfBP8K
+cIDzREINA/QiuhyGxxBB8dR6k+kl1LNVy8FA7RYAe84MLW2wuaFMQirMDtTLo/Wt
+/AatxW4WKlCvfd/nC8O5xlzmF5qffhgmS8xYDL/w1G3Uxo21dA4gGipH9uw91wqi
+YaSidtcVs6JbHpUddmO5AiEiSBbbwqNgaOxNdur1WYWZHDNWvCKL9sqQy/HtDLHy
+Tzyuw8GtrpB2BKfWWwbAApqvjcqgjitEXk2Nw/L3qWfWmVStP9ys5rz27UWRhMFi
+Go/HrVh7heOxK16ei5tp2OyRLSfDBZ7+IlpbbnR26BPdBE08cuBo/ELOfifnYTTS
+V4CKLMiG7RxtdAddkFKO+GgNW1nNHppBBhJzDvuBcFuUfB+AdnymZTlA8RFha7aW
+zwtg6I1ABdMGPn+wzMhkkutDtSCWpkBRddJPcB1mwmRdp/2WC3NxuaMQX3anQG36
+9m2sxWUmT8ZLGvFDHIwGbRPT5zzcvIJV/xhZdCxhg/7tgLikBZBB8TmtDBck+wq+
+DPIEQkr4rObCi9xphSpHvPBGhdI5v8xbKEGLcPzVMW0hjaHouvQipEXC+ASrn/sG
+nytZkyt1DD8KG27wlcrDl/RDCcjNvlKkgKPme3pPsDcD+qX+eqjQ4OM9AexW+VLZ
+ZUa84/Fh6yjbuPF3vtCVRwFJURzhKMVG3Fcs7C3iczCOUNDOar9k0yCrmbACF9Wm
+kSD5lXPXe1fFq0xi21Isuz+FH4A5CR/tHc2i+avQhYs9FvaqzLiaNmLaZKrhX5uy
+dJXYtLruhgwBjv4eo6GXm8/WHFG6r4iaq6NEimQoT41MH+uJr9nAiBWg397JoHpG
+jheCZDpZBAVuEz8NUdWP7mu64DQsjKeY6okwMlXlcSUKlMnx8QCtEMTj/JF7E7dT
+bHYe30+OIWl3X88v9Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/common/network-shuffle/src/test/resources/keystore b/common/network-shuffle/src/test/resources/keystore
new file mode 100644
index 0000000000000000000000000000000000000000..f8310e39ba1e07c7559e5724f522c06ca47f5787
GIT binary patch
literal 2247
zcmchYc{J1uAI9f5Gt8i|P1&wBlPn{@Y0#AI+9uMFEKS|9bCt<Vma)doSW;mK$yzZL
zMhPuL63H$jWsTBxE5;02B9g9i&-=dTp40#DAI~4p=dbU1&U2pcrf^dTfk2>J0{)TM
zX}X`!>67%Z@GWAuh_Ft8Kt!M*6TS&bii+!r0&qYVDgyu_5I7UgZ~dLDFFKbbe4NJ>
z8h*OOS9N;OWepcs>OGoE=zuk2V{*wI)Z_e}>Z@^h>_v>&7v=eK%-(UR|F2)6ifSZm
zB{$HW8@=O<)XbNH;_wk=FeM$Bjfx=?s>^D9Zr#6WTzln-!DYFW$=EZVD(3K>jS96w
z-f`E>K|`eE2uJ#EUlg%5TBw+iWJz5iySD{o5{Ul(C)@&^f0t&B->D-6`JH0%@@;s@
zjMngAG004|Ao+Z!S-#o>U%j;FhYZ-6+Sr%89Pdns-=>tD<cjKLOEFw$W`Y7iJ*w@l
z{<)#9NQ_z4oL%jGClKweSk8K2b+MsshLSJE(dK>GRpP7IeZ?->$L-DANQrdWKTa;0
zluk^040v;S@5DL7!>L;M8&vwCZAjLK*vpGqYx~-VYZs+3mb>>RYt{axVJiP>$3Y|}
zz*eB_iPWr6Tc->>lU_2dn3A0UZrr!p`Ly9<<lc^`K}#n@@RG4qeTf{LV8Z^btG&_y
zGFSDwx3u{?r_3fn<t}&jk;8XJ!R)ZkpEIXW!B{Hg%&{rMhKG*OsZqs+<0IiZRN6GG
z)Nyb;BKE6D+i7*x8|9Ch?J#Ckm}fQl?Kn2O$Xu@%qn|o&?<S3kz<ULPf|rby?x3+m
zt+T<2gXj`Y$EU{DK6BrOA6(b#yk#Fn=hp28<eCIEEr<9BMg}yIy^}Wd+_oK`6?C9S
zMLt@$jA)Md@FMcW$CbhxCi!}*U)7IThxXctyouJP1Raj2m{qRMN~*EHdRbL<Hyam5
znJQ!+ZVDv|Vl@xVt+lY96y$tka9lAm!Fzh1h4jS86Kgz4X??d`rro%ME5|hK$qmU_
zYExs4G?_3|W8^}(Tf_(5wZ{fZ1u;XUZ^a&q6d&i`cIQgIo-cmbU<6pY*lQ!Rv-V#K
zb>%d%n&X#yvmACj3LY^dq?e=FaqJ!`fkB(%M!T4bA&bADq%;%h1-L)a{YF#I>*n5;
zXt7P-gtHyc-1yawv9;te^CLkar+P2}c`q>)=Cwt62se##oHtS0qXNZJW*YMjnTYe|
z1W+lZjRJ<oix>NxO-J~$3RTEpZS0TIp!w}_nOBXJ>YGGE1!<NnYgKh^XFog_VFoT$
z`_~*TpS)Ia?ZP@fM8sD2>=AA8t_d9vGYswy&Plo@H7BgF?Rr;IN}~I_OZ5AE?Xc>e
zduB^$Zl^0#&4F^xR^%KivoAj*R)05F<5T{9#!cLae!D`i$@(i5VdKPs;vD6ow-Pa0
zmfi>Du&L;*jI`*2mxHbvy2C)a@EF^M?KmG1vd1J;hO<00q<gYyWYEfRIN1|-F~%X~
z`{Hc?NwSk6swt3?GGNGyHctaA4D>{Ea0+F@!vpWZUoIem_pk7QGFApU$XWEZyP!S$
zy2#@wW_snjaE*mkb%s`~Ur~W0n&f9pXRDv9^a`mg8=d@ECh_CSHJ#du`ah#SxB9W1
z-p<Aj%6OF|2tj234Hxe$GBqPntjPDm(SFo{EAsCUG^i2vjP2B#_GaK`^H-ieT6X(x
zS%jR?E3^~1=gOsS>b!}YxjkPKt*mOLDS3IRD~MerwrgiggePgez$MStIAG30Vaz+z
znP5Kohc09y*(6S=bZ0;6*@CtY{i164xeX%S<NYU9!e#a8FkhEy+Zbu)Rd(?|<0wMj
zV+8JpKwz;T6BY?Fp<dTvPyh;rJ0Bq31W}@5x+!)kt0(}F5P^WFanf6p33G#sq7iO1
zDvcgV`!7NML=Zm_@t=sqPXzWq0;<ZRaE3S#B<#iGK)m6JEo%hgK;!?||MN9WVCTQ%
z*!mVQCLjd?nSeNy2>_5pQfMC@N!nO0wH%Xtuc`Uu_?pnpJ3cKSbR^Nesz@fkeg8K_
zTJ35i8GW{Bgm&Uy_A)8Ar>TC8<!?Hg5>0v~KUm51AD4|t?pz-*InPU(xFwfe7aK@-
z&`sYxAFsV#57|9oUhntf^%Ms6?u7Ik>%Ezi3GO{ccd<h=6x`H>$K+?Z=*8-c9HP#s
zOrXfNhRKwkI)1xzMcTvsXTrA@mGdnR9#$e8BDNj1us(Rjp^I@0JHr=J9h*keYb@4`
zEbRm4_$*5QRieRoP)JDy&5{>VVsBkDRg>0s_n`ei%|c)v!>9n^H~H}eLNotr3B^*=
z{jjq6yqK``^Vn@D41fS-8lW1evegh3Nw^$*J9JmC0%UznnvdunEUWXJm7jB#`FDt0
zo!SZ!fDlyn__i1(A!8e5JfGHGYq#O59PYAPUd^G9FA4GLhdQU@y3_KivZwp9e#sjZ
z1)6E~Py4647bJ-*g&tbSSqXlAo`|VY0-a#1EcqqpmY_MpMl0!c@gNTqd?DPoAC6{F
zX#Czw>93?(`H$;NoCL46jICSrt~xR}wNV^~dn<|;)#U(7hP$oGOzs-~AvLGK&g0zM
zw^?bP=4NGFJ3;N}QsShyk0XSs?LW@9d~Sxj?AVZ{pOtdaJ7!gP>dq$(AFE$ic(QF_
zMtzQi_+9hZzoOnZ-qFt&6a;ssvcmgs))|WiZVphZ+9n#oo9dzuTg|>3rcC)~XD4Ad
ZwPrecI^>>DS9jrYAM6Ze@sCox{su3o&c*-$

literal 0
HcmV?d00001

diff --git a/common/network-shuffle/src/test/resources/truststore b/common/network-shuffle/src/test/resources/truststore
new file mode 100644
index 0000000000000000000000000000000000000000..a6b1d46e1f391995553771665934518114892962
GIT binary patch
literal 957
zcmezO_TO6u1_mY|W(3omIr+(nIT`uIB|s66PaJ187+53pObsj<7?`UKnwZNCnwa7j
zFf%bSF|h<%`7Sl!W#iOp^Jx3d%gD&h%3zRVC}6<H#vIDRCd?k1mz|eio(B`*zz|`_
z5aGfQ;l>bQhKm@;iSrto7#bK@7#SNH7@I@^xuyn&24+w$on6z!sDvCGjI0dIO^o~u
z22G4yOihf849&hp=Zrag|9n~Gc#H3$vhv=@pKm=9>UvU(ZZwCjnIky!nB{NDyiMQB
zBZO<_+{laCF!_t`)YJQR{_Ib&x!G3fds+PIs-~1XLS?NdeqFL|Ki_tDnb_pb)#>@(
zTD|J;>oi2PIZoZR+nId!%3~GY`%wb7osA|uXbd}Tx=!cX%NWDQox39rO%?vMzHf?~
z=1swLR-RoC+D>nNbu4gY&$gL|-rloc_5R@2ZL8S5%Xot9o!zH-pDYd6dHL#Xw%@*+
zy&LU+nmT%>zI)Xlb76*?{++DCc`NfA&lk?~bl&)QW6#lb?w*%6eoUWUYC4NO`N6ZZ
z?8-A|%!_eU4)c+*d(ZiH(T7{hnV1<F7#AxV$Q#H4Q-~}dix`Utlj<1>hF?DgUa_CL
zx_EQkYw>r1g2;ggOjE!>WMr_A)k`{P(!x=_M=);x=K055cF6ji^!W09N=!ueTVn;U
z6EA8{^-Nzg`Ng@3($jCUF&@a<x&Ok8Qy=-<zRiwR<9N;eYUXrS8`H*o3s)JwuTz%2
zIZ)=J)^cU;)$=O3oh3;ZScFSs@?M?k?!C-^_|@*s*8Xp<sF^t*)Sls2x_VQ^>e8^o
zyyq)UdNa4Ognk!%pnCm3|2v5#(^qdW|F_DnC)CMo)7|XjC#6>R9=pT-w&U3U_Jbb|
zump?#5z4RO57rKM+MK!exniP|!?*K7M~h9*`B~JdzSntD@o>*t-I;G@<(}y1FS)RE
zvl(0Zzf0L`j^5p4uvCF<+hN<kCT)*XCQokB`M3FKhO0_L)r)TtxgK7R-&#o=x-kg=
DWo>hw

literal 0
HcmV?d00001

diff --git a/common/network-shuffle/src/test/resources/untrusted-keystore b/common/network-shuffle/src/test/resources/untrusted-keystore
new file mode 100644
index 0000000000000000000000000000000000000000..6015b02caa12817721fca3a83c8e58338b6d9aeb
GIT binary patch
literal 2246
zcmchYS5VUl7sc~W0)Ye-=~4xxg#Zav3<BbYq7-2TvQiAPfJ;JCiUxxasvxL<St&|0
zfK(+A5Qvn}r37$LK$=LC4og#Hm)ZHgot^Q0AI{9Zzo$EA&YXL&e6S1xfxw3X{uVFE
z&)to5-S1}LAu->8z3~KrxBxU2`W=0g8?MR?KmjE9H~?^gpj7C>T*;?*E%{fv1t#2A
zw<uTn^PFy?W0TjZ)1+so^L_N9y<xMp{xNOW6eBSu`Nw42<<ExjnGwct1$Mo7r)NCW
z4R)nH{$}D!2{>mzrvHqay1&t+Fi_Z+)w1n4H+Y%AMXJ&rSoCSXIQW|Hr+fhOC{~-z
zRlY#ibR-jPTxR#)AT!BEO?ezTUwe>&ocp&K#iX4G4x}&l;Dj))1SC+yocOHP<E%NV
zQS!hQ(?@y!J70d9$&l*}MjR)zQE@36diUMf3NIaHC(m});MI~95!cxDM*0E*OX<t8
z6+7;6EW7OOYSCSs(Fc;H(WGrNbjmdWm`aJbdz>Kcyd#4h$$Ysx{PW2wSrMAGjmd{>
zmZKc2Dyf?4ujwLhFCx*5Hx~U|Z)4cF@ukC(ds5*mRqTjW<hM2lY|#3UYbjq%tYEC}
z)6zbbR9?h@9zN6Q-isG?iyhO}t!wFup!YJS&sOz}VNvIY$<_O~lXGdki4zw$97V7z
zj{Q%wc85NiS}8+F;L-q3@`kvVd&+9S{a;Y5QCY)M@Gh>ZQ!rEzURPjf;fj^#543K+
z!ssm8re)p<nag8a&g6D@cy$#BzNfh{iNP^ENv(UhfUJOT&0nmg1)VC1X(4I`^v{92
z3k3Jp{we-T7b@8t)h{-#iZe(yQbJxh2V?THkdy2wb)z>qzo9BLWxDF++<UKQ4YM95
z#>xd2(u`*)aHlZZpG29)-s8jv^L!<=2n_lp*^DBVw#MvPDYjjU59hk-*=5ySF?<g;
zRZR}u*VtrFx^!Irb^VT6r-I}bKHRkhB>;vN-zN<FFW+8xsyms3dufmD>ZGbmhBK9h
zT^c^=AHxzXuw5SuT_j1a9=(n&J?~VzvG}qlOYj8&6PtlOG82v{Ls5creeldHDY=n}
z6NS98Hi+3%9-T{Nl<}Y`*yL)P*pyGtkkOKUx$aHwg>deSRCRDu3S_Bt*qYqP;^=vW
z>Sial$32p`22-|}%Wtf09n<D{)ynKi|CAtg`udG)&V3iph2We(0~XOCR>6kxR~g&{
z;kf$;?1pyH#legE8IIWJMw1!v9A-Bq$dIyn#d<qpt2oiTwX<Ml2{G@X8vAH<Kyt6E
zGhs*ZA|Ry0xse9hbP1E_>=DTZcOxsMZN<8A29U{XY8FE^^?*t(;Wc9KRLxuFXiP-G
z>e>s*`P%O)W#bh}MOrv+{^3tN%a_tNb9D8h>-eF{WYv1B{AL3=1%=#OJh|?KR$7@~
zM1%siVBJLAn~Pz$VnIy*@}LG*a&*qN<%mI`Z<UYf_s34HcjxuUvS;VglINe;ns&X*
z8mvnYB1(BO5c?10K%$GATJl>Qi8>jN6Bzl5(ULw7YAmA5UoEllgU<Gy!UK`5*>Du`
zAewV|((5eVYOO+`<3sL2d)BS_Mok%KAB6q1*Jc7zF$H5nC_yMo`6_U&c?)aPk4b$z
zk=~H8I#D$8!fS_4;uOVeZ*ca0M>wc+><Xl@Q5P5@@u~GWapDb+i!~YA&5a>X_;202
zht3{zS6QTZ`z}%LI2uqFW?YIRHI*33>s?|kWxkxSkI|mB{+aCe>R$D#3C_eDcm?~4
z04*s~%RJne@gR@YM1zFG)0DX;`R-ZeVAqWJ<toEi7Qfr=Gj?<*^YXvDkqfV`gVqOu
zAfad~Bm_+bU(JSq0WcU!x*ql$`Up2KGR8b+=Li5GxIkzUhX1fJA@)#iL72TS(bq4;
z_y2_F2Lk(nz<(f!9|+_hf|eFNg3-pH(Wf=FFc`G%mBUpBeK`DY{g1Dq0&@Sh<M3HP
zsK7B0nhL<dQ~&@yEJ6f8MqJ)(O0eES5lVrPMwQKeHsbiu&*NdAK&fuG+ieLjGww^X
z*5L-wN@kLApo+kS6^EOXle1^(!XoIQ6yuIk{`I&`>izOR@=|SzH@w)|jt`!(`wOVk
zU(Gc+<B#}9{Q~tL>3x6OSUy2;rv#hrK`;koo{3~F+?Lz<_V{4;1#8arvZ&0V8@AqY
z%gOfdX610i{YAs|(!9Q+SL{EgzRT#t9JFQIGR2S`6VaKXbv2cJ2H)BOR*n|BK8B>J
zu4T{_d4E~Njm&*(N{Lz*K3`qRFrPLYtX(hoRRuEpLT4<dPn48=qGo1;+DR!=`>Gjc
z7p!#ttliZeFa!Vrd9r93wA5ijq>e&GphCV$=V%&Tr1x)APN~~@unO~heb4>d#KTM-
znh1b2&I@^pv~P&tiq}$Qc2}5{Y1K+f=lfqETn=T3E>iK(`_W8&jcZK}2tO)n$}*DS
zW9s~&EeO=mYgrtHq(vr!#h3NAy`7YJ8V0q&`(N)hb2~hoF87PZRGUk~lN{xCT(jsw
z;Yp@T1SAT~KqTCb3a(cP)&1DNK4h=JduK2)s(9XTV?-4(76KO@#|t*-6s2Dl=w}?&
z`IEOv)DCjYr5eow*?MXh8OBgmy;!t>iQ6;NbaZ0pfS*It8}lB6l1(9$AdKemI=5q_
z{7jO%*zS`ZmPK|=YMq+2r-Np*`16dZu!n^|WkFZrL^nhKO<UWS!WwEQf7a-$W)tGG
VOI=$`4oZ<Jmfv_H%^$uo{ueBW-1z_i

literal 0
HcmV?d00001

diff --git a/core/pom.xml b/core/pom.xml
index 24f60c6c83814..af9c7e8bf0731 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -448,6 +448,13 @@
       <classifier>tests</classifier>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.spark</groupId>
+      <artifactId>spark-network-common_${scala.binary.version}</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.spark</groupId>
       <artifactId>spark-network-shuffle_${scala.binary.version}</artifactId>
diff --git a/core/src/main/scala/org/apache/spark/SSLOptions.scala b/core/src/main/scala/org/apache/spark/SSLOptions.scala
index d159f5717b090..a66065c9d65f7 100644
--- a/core/src/main/scala/org/apache/spark/SSLOptions.scala
+++ b/core/src/main/scala/org/apache/spark/SSLOptions.scala
@@ -19,12 +19,16 @@ package org.apache.spark
 
 import java.io.File
 import java.security.NoSuchAlgorithmException
+import java.util.HashMap
+import java.util.Map
 import javax.net.ssl.SSLContext
 
 import org.apache.hadoop.conf.Configuration
 import org.eclipse.jetty.util.ssl.SslContextFactory
 
 import org.apache.spark.internal.Logging
+import org.apache.spark.network.util.ConfigProvider
+import org.apache.spark.network.util.MapConfigProvider
 
 /**
  * SSLOptions class is a common container for SSL configuration options. It offers methods to
@@ -33,34 +37,53 @@ import org.apache.spark.internal.Logging
  * SSLOptions is intended to provide the maximum common set of SSL settings, which are supported
  * by the protocol, which it can generate the configuration for.
  *
+ * @param namespace           the configuration namespace
  * @param enabled             enables or disables SSL; if it is set to false, the rest of the
  *                            settings are disregarded
  * @param port                the port where to bind the SSL server; if not defined, it will be
  *                            based on the non-SSL port for the same service.
  * @param keyStore            a path to the key-store file
  * @param keyStorePassword    a password to access the key-store file
+ * @param privateKey          a PKCS#8 private key file in PEM format
  * @param keyPassword         a password to access the private key in the key-store
  * @param keyStoreType        the type of the key-store
  * @param needClientAuth      set true if SSL needs client authentication
+ * @param certChain           an X.509 certificate chain file in PEM format
  * @param trustStore          a path to the trust-store file
  * @param trustStorePassword  a password to access the trust-store file
  * @param trustStoreType      the type of the trust-store
+ * @param trustStoreReloadingEnabled enables or disables using a trust-store that reloads
+ *                                   its configuration when the trust-store file on disk changes
+ * @param trustStoreReloadInterval the interval, in milliseconds,
+ *                                 when the trust-store will reload its configuration
+ * @param openSslEnabled      enables or disables using an OpenSSL implementation
+ * (if available on host system), requires certChain and keyFile arguments
  * @param protocol            SSL protocol (remember that SSLv3 was compromised) supported by Java
  * @param enabledAlgorithms   a set of encryption algorithms that may be used
+ * @param dangerouslyFallbackIfKeysNotPresent If SSL is enabled but key files are not present,
+ *                                            fall back to unencrypted communication. This is an
+ *                                            advanced option and not recommended for normal use.
  */
 private[spark] case class SSLOptions(
+    namespace: Option[String] = None,
     enabled: Boolean = false,
     port: Option[Int] = None,
     keyStore: Option[File] = None,
     keyStorePassword: Option[String] = None,
+    privateKey: Option[File] = None,
     keyPassword: Option[String] = None,
     keyStoreType: Option[String] = None,
     needClientAuth: Boolean = false,
+    certChain: Option[File] = None,
     trustStore: Option[File] = None,
     trustStorePassword: Option[String] = None,
     trustStoreType: Option[String] = None,
+    trustStoreReloadingEnabled: Boolean = false,
+    trustStoreReloadInterval: Int = 10000,
+    openSslEnabled: Boolean = false,
     protocol: Option[String] = None,
-    enabledAlgorithms: Set[String] = Set.empty)
+    enabledAlgorithms: Set[String] = Set.empty,
+    dangerouslyFallbackIfKeysNotPresent: Boolean = false)
     extends Logging {
 
   /**
@@ -134,12 +157,44 @@ private[spark] case class SSLOptions(
     supported
   }
 
+  /**
+   *
+   * @return
+   */
+  def createConfigProvider(conf: SparkConf): ConfigProvider = {
+    val nsp = namespace.getOrElse("spark.ssl")
+    val confMap: Map[String, String] = new HashMap[String, String]
+    conf.getAll.foreach(tuple => confMap.put(tuple._1, tuple._2))
+    confMap.put(s"$nsp.enabled", enabled.toString)
+    confMap.put(s"$nsp.trustStoreReloadingEnabled", trustStoreReloadingEnabled.toString)
+    confMap.put(s"$nsp.openSslEnabled", openSslEnabled.toString)
+    confMap.put(s"$nsp.trustStoreReloadInterval", trustStoreReloadInterval.toString)
+    keyStore.map(_.getAbsolutePath).foreach(confMap.put(s"$nsp.keyStore", _))
+    keyStorePassword.foreach(confMap.put(s"$nsp.keyStorePassword", _))
+    privateKey.map(_.getAbsolutePath).foreach(confMap.put(s"$nsp.privateKey", _))
+    keyPassword.foreach(confMap.put(s"$nsp.keyPassword", _))
+    certChain.map(_.getAbsolutePath).foreach(confMap.put(s"$nsp.certChain", _))
+    trustStore.map(_.getAbsolutePath).foreach(confMap.put(s"$nsp.trustStore", _))
+    trustStorePassword.foreach(confMap.put(s"$nsp.trustStorePassword", _))
+    protocol.foreach(confMap.put(s"$nsp.protocol", _))
+    confMap.put(s"$nsp.enabledAlgorithms", enabledAlgorithms.mkString(","))
+    confMap.put(
+      s"$nsp.dangerouslyFallbackIfKeysNotPresent", dangerouslyFallbackIfKeysNotPresent.toString)
+
+    new MapConfigProvider(confMap)
+  }
+
   /** Returns a string representation of this SSLOptions with all the passwords masked. */
   override def toString: String = s"SSLOptions{enabled=$enabled, port=$port, " +
       s"keyStore=$keyStore, keyStorePassword=${keyStorePassword.map(_ => "xxx")}, " +
-      s"trustStore=$trustStore, trustStorePassword=${trustStorePassword.map(_ => "xxx")}, " +
-      s"protocol=$protocol, enabledAlgorithms=$enabledAlgorithms}"
-
+      s"privateKey=$privateKey, keyPassword=${keyPassword.map(_ => "xxx")}, " +
+      s"keyStoreType=$keyStoreType, needClientAuth=$needClientAuth, " +
+      s"certChain=$certChain, trustStore=$trustStore, " +
+      s"trustStorePassword=${trustStorePassword.map(_ => "xxx")}, " +
+      s"trustStoreReloadInterval=$trustStoreReloadInterval, " +
+      s"trustStoreReloadingEnabled=$trustStoreReloadingEnabled, openSSLEnabled=$openSslEnabled, " +
+      s"protocol=$protocol, enabledAlgorithms=$enabledAlgorithms}, " +
+      s"dangerouslyFallbackIfKeysNotPresent=$dangerouslyFallbackIfKeysNotPresent"
 }
 
 private[spark] object SSLOptions extends Logging {
@@ -152,15 +207,25 @@ private[spark] object SSLOptions extends Logging {
    * $ - `[ns].port` - the port where to bind the SSL server
    * $ - `[ns].keyStore` - a path to the key-store file; can be relative to the current directory
    * $ - `[ns].keyStorePassword` - a password to the key-store file
+   * $ - `[ns].privateKey` - a PKCS#8 private key file in PEM format
    * $ - `[ns].keyPassword` - a password to the private key
    * $ - `[ns].keyStoreType` - the type of the key-store
    * $ - `[ns].needClientAuth` - whether SSL needs client authentication
+   * $ - `[ns].certChain` - an X.509 certificate chain file in PEM format
    * $ - `[ns].trustStore` - a path to the trust-store file; can be relative to the current
    *                         directory
    * $ - `[ns].trustStorePassword` - a password to the trust-store file
    * $ - `[ns].trustStoreType` - the type of trust-store
+   * $ - `[ns].trustStoreReloadingEnabled` - enables or disables using a trust-store
+   * that reloads its configuration when the trust-store file on disk changes
+   * $ - `[ns].trustStoreReloadInterval` - the interval, in milliseconds, the
+   * trust-store will reload its configuration
+   * $ - `[ns].openSslEnabled` - enables or disables using an OpenSSL implementation
+   * (if available on host system), requires certChain and keyFile arguments
    * $ - `[ns].protocol` - a protocol name supported by a particular Java version
    * $ - `[ns].enabledAlgorithms` - a comma separated list of ciphers
+   * $ - `[ns].dangerouslyFallbackIfKeysNotPresent` - whether to fallback to unencrypted
+   *                                                  communication if keys are not present.
    *
    * For a list of protocols and ciphers supported by particular Java versions, you may go to
    * <a href="https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https">
@@ -180,7 +245,15 @@ private[spark] object SSLOptions extends Logging {
       hadoopConf: Configuration,
       ns: String,
       defaults: Option[SSLOptions] = None): SSLOptions = {
-    val enabled = conf.getBoolean(s"$ns.enabled", defaultValue = defaults.exists(_.enabled))
+
+    // RPC does not inherit the default enabled setting due to backwards compatibility reasons
+    val enabledDefault = if (ns == "spark.ssl.rpc") {
+      false
+    } else {
+      defaults.exists(_.enabled)
+    }
+
+    val enabled = conf.getBoolean(s"$ns.enabled", defaultValue = enabledDefault)
     if (!enabled) {
       return new SSLOptions()
     }
@@ -194,15 +267,23 @@ private[spark] object SSLOptions extends Logging {
 
     val keyStorePassword = conf.getWithSubstitution(s"$ns.keyStorePassword")
         .orElse(Option(hadoopConf.getPassword(s"$ns.keyStorePassword")).map(new String(_)))
+        .orElse(Option(conf.getenv(ENV_RPC_SSL_KEY_STORE_PASSWORD)).filter(_.trim.nonEmpty))
         .orElse(defaults.flatMap(_.keyStorePassword))
 
+    val privateKey = conf.getOption(s"$ns.privateKey").map(new File(_))
+        .orElse(defaults.flatMap(_.privateKey))
+
     val keyPassword = conf.getWithSubstitution(s"$ns.keyPassword")
         .orElse(Option(hadoopConf.getPassword(s"$ns.keyPassword")).map(new String(_)))
+        .orElse(Option(conf.getenv(ENV_RPC_SSL_KEY_PASSWORD)).filter(_.trim.nonEmpty))
         .orElse(defaults.flatMap(_.keyPassword))
 
     val keyStoreType = conf.getWithSubstitution(s"$ns.keyStoreType")
         .orElse(defaults.flatMap(_.keyStoreType))
 
+    val certChain = conf.getOption(s"$ns.certChain").map(new File(_))
+        .orElse(defaults.flatMap(_.certChain))
+
     val needClientAuth =
       conf.getBoolean(s"$ns.needClientAuth", defaultValue = defaults.exists(_.needClientAuth))
 
@@ -211,11 +292,21 @@ private[spark] object SSLOptions extends Logging {
 
     val trustStorePassword = conf.getWithSubstitution(s"$ns.trustStorePassword")
         .orElse(Option(hadoopConf.getPassword(s"$ns.trustStorePassword")).map(new String(_)))
+        .orElse(Option(conf.getenv(ENV_RPC_SSL_TRUST_STORE_PASSWORD)).filter(_.trim.nonEmpty))
         .orElse(defaults.flatMap(_.trustStorePassword))
 
     val trustStoreType = conf.getWithSubstitution(s"$ns.trustStoreType")
         .orElse(defaults.flatMap(_.trustStoreType))
 
+    val trustStoreReloadingEnabled = conf.getBoolean(s"$ns.trustStoreReloadingEnabled",
+        defaultValue = defaults.exists(_.trustStoreReloadingEnabled))
+
+    val trustStoreReloadInterval = conf.getInt(s"$ns.trustStoreReloadInterval",
+      defaultValue = defaults.map(_.trustStoreReloadInterval).getOrElse(10000))
+
+    val openSslEnabled = conf.getBoolean(s"$ns.openSslEnabled",
+        defaultValue = defaults.exists(_.openSslEnabled))
+
     val protocol = conf.getWithSubstitution(s"$ns.protocol")
         .orElse(defaults.flatMap(_.protocol))
 
@@ -224,20 +315,49 @@ private[spark] object SSLOptions extends Logging {
         .orElse(defaults.map(_.enabledAlgorithms))
         .getOrElse(Set.empty)
 
+    val dangerouslyFallbackIfKeysNotPresent =
+        conf.getBoolean(s"$ns.dangerouslyFallbackIfKeysNotPresent",
+            defaultValue = defaults.exists(_.dangerouslyFallbackIfKeysNotPresent))
+
     new SSLOptions(
+      Some(ns),
       enabled,
       port,
       keyStore,
       keyStorePassword,
+      privateKey,
       keyPassword,
       keyStoreType,
       needClientAuth,
+      certChain,
       trustStore,
       trustStorePassword,
       trustStoreType,
+      trustStoreReloadingEnabled,
+      trustStoreReloadInterval,
+      openSslEnabled,
       protocol,
-      enabledAlgorithms)
+      enabledAlgorithms,
+      dangerouslyFallbackIfKeysNotPresent)
   }
 
+  // Config names and environment variables for propagating SSL passwords
+  val SPARK_RPC_SSL_KEY_PASSWORD_CONF = "spark.ssl.rpc.keyPassword"
+  val SPARK_RPC_SSL_KEY_STORE_PASSWORD_CONF = "spark.ssl.rpc.keyStorePassword"
+  val SPARK_RPC_SSL_TRUST_STORE_PASSWORD_CONF = "spark.ssl.rpc.trustStorePassword"
+  val SPARK_RPC_SSL_PASSWORD_FIELDS: Seq[String] = Seq(
+    SPARK_RPC_SSL_KEY_PASSWORD_CONF,
+    SPARK_RPC_SSL_KEY_STORE_PASSWORD_CONF,
+    SPARK_RPC_SSL_TRUST_STORE_PASSWORD_CONF
+  )
+
+  val ENV_RPC_SSL_KEY_PASSWORD = "_SPARK_SSL_RPC_KEY_PASSWORD"
+  val ENV_RPC_SSL_KEY_STORE_PASSWORD = "_SPARK_SSL_RPC_KEY_STORE_PASSWORD"
+  val ENV_RPC_SSL_TRUST_STORE_PASSWORD = "_SPARK_SSL_RPC_TRUST_STORE_PASSWORD"
+  val SPARK_RPC_SSL_PASSWORD_ENVS: Seq[String] = Seq(
+    ENV_RPC_SSL_KEY_PASSWORD,
+    ENV_RPC_SSL_KEY_STORE_PASSWORD,
+    ENV_RPC_SSL_TRUST_STORE_PASSWORD
+  )
 }
 
diff --git a/core/src/main/scala/org/apache/spark/SecurityManager.scala b/core/src/main/scala/org/apache/spark/SecurityManager.scala
index 7e72ae8d89e37..645a5b1714f00 100644
--- a/core/src/main/scala/org/apache/spark/SecurityManager.scala
+++ b/core/src/main/scala/org/apache/spark/SecurityManager.scala
@@ -85,6 +85,11 @@ private[spark] class SecurityManager(
   setModifyAclsGroups(sparkConf.get(MODIFY_ACLS_GROUPS))
 
   private var secretKey: String = _
+
+  // Read these here instead of parsing the sslOptions since that has to be lazy
+  private val isSslRPCEnabled = sparkConf.getBoolean(
+    "spark.ssl.rpc.enabled", false)
+
   logInfo("SecurityManager: authentication " + (if (authOn) "enabled" else "disabled") +
     "; ui acls " + (if (aclsOn) "enabled" else "disabled") +
     "; users with view permissions: " +
@@ -94,12 +99,15 @@ private[spark] class SecurityManager(
     "; users with modify permissions: " +
     (if (modifyAcls.nonEmpty) modifyAcls.mkString(", ") else "EMPTY") +
     "; groups with modify permissions: " +
-    (if (modifyAclsGroups.nonEmpty) modifyAclsGroups.mkString(", ") else "EMPTY"))
+    (if (modifyAclsGroups.nonEmpty) modifyAclsGroups.mkString(", ") else "EMPTY") +
+    "; RPC SSL " + (if (isSslRPCEnabled) "enabled" else "disabled"))
 
   private val hadoopConf = SparkHadoopUtil.get.newConfiguration(sparkConf)
   // the default SSL configuration - it will be used by all communication layers unless overwritten
   private val defaultSSLOptions =
     SSLOptions.parse(sparkConf, hadoopConf, "spark.ssl", defaults = None)
+  // the SSL configuration for RPCs
+  private lazy val rpcSSLOptions = getSSLOptions("rpc")
 
   def getSSLOptions(module: String): SSLOptions = {
     val opts =
@@ -258,18 +266,46 @@ private[spark] class SecurityManager(
     isUserInACL(user, modifyAcls, modifyAclsGroups)
   }
 
+  /**
+   * Check to see if authentication is enabled and SSL for RPC is disabled (as they are mutually
+   * exclusive)
+   * @return Whether authentication is enabled and SSL for RPC is disabled
+   */
+  private def isAuthenticationEnabledAndSslRpcDisabled(): Boolean = {
+    if (sparkConf.get(NETWORK_AUTH_ENABLED)) {
+      if (rpcSSLOptions.enabled) {
+        logWarning("Network auth disabled as RPC SSL encryption is enabled")
+        false
+      } else {
+        true
+      }
+    } else {
+      false
+    }
+  }
+
+
   /**
    * Check to see if authentication for the Spark communication protocols is enabled
    * @return true if authentication is enabled, otherwise false
    */
-  def isAuthenticationEnabled(): Boolean = authOn
+  def isAuthenticationEnabled(): Boolean = isAuthenticationEnabledAndSslRpcDisabled
 
   /**
    * Checks whether network encryption should be enabled.
    * @return Whether to enable encryption when connecting to services that support it.
    */
   def isEncryptionEnabled(): Boolean = {
-    sparkConf.get(Network.NETWORK_CRYPTO_ENABLED) || sparkConf.get(SASL_ENCRYPTION_ENABLED)
+    if (sparkConf.get(Network.NETWORK_CRYPTO_ENABLED) || sparkConf.get(SASL_ENCRYPTION_ENABLED)) {
+      if (rpcSSLOptions.enabled) {
+        logWarning("Network encryption disabled as RPC SSL encryption is enabled")
+        false
+      } else {
+        true
+      }
+    } else {
+      false
+    }
   }
 
   /**
@@ -284,7 +320,7 @@ private[spark] class SecurityManager(
    * @return the secret key as a String if authentication is enabled, otherwise returns null
    */
   def getSecretKey(): String = {
-    if (isAuthenticationEnabled) {
+    if (authOn) {
       val creds = UserGroupInformation.getCurrentUser().getCredentials()
       Option(creds.getSecretKey(SECRET_LOOKUP_KEY))
         .map { bytes => new String(bytes, UTF_8) }
@@ -318,7 +354,7 @@ private[spark] class SecurityManager(
   def initializeAuth(): Unit = {
     import SparkMasterRegex._
 
-    if (!sparkConf.get(NETWORK_AUTH_ENABLED)) {
+    if (!authOn) {
       return
     }
 
@@ -391,6 +427,27 @@ private[spark] class SecurityManager(
   // Default SecurityManager only has a single secret key, so ignore appId.
   override def getSaslUser(appId: String): String = getSaslUser()
   override def getSecretKey(appId: String): String = getSecretKey()
+
+  /**
+   * If the RPC SSL settings are enabled, returns a map containing the password
+   * values so they can be passed to executors or other subprocesses.
+   *
+   * @return Map containing environment variables to pass
+   */
+  def getEnvironmentForSslRpcPasswords: Map[String, String] = {
+    if (rpcSSLOptions.enabled) {
+      val map = scala.collection.mutable.Map[String, String]()
+      rpcSSLOptions.keyPassword.foreach(password =>
+        map += (SSLOptions.ENV_RPC_SSL_KEY_PASSWORD -> password))
+      rpcSSLOptions.keyStorePassword.foreach(password =>
+        map += (SSLOptions.ENV_RPC_SSL_KEY_STORE_PASSWORD -> password))
+      rpcSSLOptions.trustStorePassword.foreach(password =>
+        map += (SSLOptions.ENV_RPC_SSL_TRUST_STORE_PASSWORD -> password))
+      map.toMap
+    } else {
+      Map()
+    }
+  }
 }
 
 private[spark] object SecurityManager {
diff --git a/core/src/main/scala/org/apache/spark/SparkConf.scala b/core/src/main/scala/org/apache/spark/SparkConf.scala
index 8c054d24b10d7..6f381c18bdc5b 100644
--- a/core/src/main/scala/org/apache/spark/SparkConf.scala
+++ b/core/src/main/scala/org/apache/spark/SparkConf.scala
@@ -739,6 +739,9 @@ private[spark] object SparkConf extends Logging {
     (name.startsWith("spark.auth") && name != SecurityManager.SPARK_AUTH_SECRET_CONF) ||
     name.startsWith("spark.rpc") ||
     name.startsWith("spark.network") ||
+    // We need SSL configs to propagate as they may be needed for RPCs.
+    // Passwords are propagated separately though.
+    (name.startsWith("spark.ssl") && !name.contains("Password")) ||
     isSparkPortConf(name)
   }
 
@@ -804,5 +807,4 @@ private[spark] object SparkConf extends Logging {
       key: String,
       version: String,
       translation: String => String = null)
-
 }
diff --git a/core/src/main/scala/org/apache/spark/SparkEnv.scala b/core/src/main/scala/org/apache/spark/SparkEnv.scala
index e404c9ee8b4cf..a54d65fe1b41b 100644
--- a/core/src/main/scala/org/apache/spark/SparkEnv.scala
+++ b/core/src/main/scala/org/apache/spark/SparkEnv.scala
@@ -374,7 +374,12 @@ object SparkEnv extends Logging {
     }
 
     val externalShuffleClient = if (conf.get(config.SHUFFLE_SERVICE_ENABLED)) {
-      val transConf = SparkTransportConf.fromSparkConf(conf, "shuffle", numUsableCores)
+      val transConf = SparkTransportConf.fromSparkConfWithSslOptions(
+        conf,
+        "shuffle",
+        numUsableCores,
+        sslOptions = Some(securityManager.getSSLOptions("rpc"))
+      )
       Some(new ExternalBlockStoreClient(transConf, securityManager,
         securityManager.isAuthenticationEnabled(), conf.get(config.SHUFFLE_REGISTRATION_TIMEOUT)))
     } else {
diff --git a/core/src/main/scala/org/apache/spark/deploy/ExternalShuffleService.scala b/core/src/main/scala/org/apache/spark/deploy/ExternalShuffleService.scala
index 22b138e5d9881..efeef99ba8a00 100644
--- a/core/src/main/scala/org/apache/spark/deploy/ExternalShuffleService.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/ExternalShuffleService.scala
@@ -53,7 +53,11 @@ class ExternalShuffleService(sparkConf: SparkConf, securityManager: SecurityMana
   private val registeredExecutorsDB = "registeredExecutors"
 
   private val transportConf =
-    SparkTransportConf.fromSparkConf(sparkConf, "shuffle", numUsableCores = 0)
+    SparkTransportConf.fromSparkConfWithSslOptions(
+      sparkConf,
+      "shuffle",
+      numUsableCores = 0,
+      sslOptions = Some(securityManager.getSSLOptions("rpc")))
   private val blockHandler = newShuffleBlockHandler(transportConf)
   private var transportContext: TransportContext = _
 
diff --git a/core/src/main/scala/org/apache/spark/deploy/worker/CommandUtils.scala b/core/src/main/scala/org/apache/spark/deploy/worker/CommandUtils.scala
index 8240bd6d2f438..5822d311f3e72 100644
--- a/core/src/main/scala/org/apache/spark/deploy/worker/CommandUtils.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/worker/CommandUtils.scala
@@ -22,7 +22,7 @@ import java.io.{File, FileOutputStream, InputStream, IOException}
 import scala.collection.JavaConverters._
 import scala.collection.Map
 
-import org.apache.spark.SecurityManager
+import org.apache.spark.{SecurityManager, SSLOptions}
 import org.apache.spark.deploy.Command
 import org.apache.spark.internal.Logging
 import org.apache.spark.launcher.WorkerCommandBuilder
@@ -90,6 +90,8 @@ object CommandUtils extends Logging {
     if (securityMgr.isAuthenticationEnabled) {
       newEnvironment += (SecurityManager.ENV_AUTH_SECRET -> securityMgr.getSecretKey)
     }
+    // set SSL env variables if needed
+    newEnvironment ++= securityMgr.getEnvironmentForSslRpcPasswords
 
     Command(
       command.mainClass,
@@ -97,8 +99,13 @@ object CommandUtils extends Logging {
       newEnvironment,
       command.classPathEntries ++ classPath,
       Seq.empty, // library path already captured in environment variable
-      // filter out auth secret from java options
-      command.javaOpts.filterNot(_.startsWith("-D" + SecurityManager.SPARK_AUTH_SECRET_CONF)))
+      // filter out secrets from java options
+      command.javaOpts.filterNot(opts =>
+        opts.startsWith("-D" + SecurityManager.SPARK_AUTH_SECRET_CONF) ||
+        SSLOptions.SPARK_RPC_SSL_PASSWORD_FIELDS.exists(
+          field => opts.startsWith("-D" + field)
+        )
+      ))
   }
 
   /** Spawn a thread that will redirect a given stream to a file */
diff --git a/core/src/main/scala/org/apache/spark/executor/CoarseGrainedExecutorBackend.scala b/core/src/main/scala/org/apache/spark/executor/CoarseGrainedExecutorBackend.scala
index 4a5de8cd5da92..a1c6b12a1d0f4 100644
--- a/core/src/main/scala/org/apache/spark/executor/CoarseGrainedExecutorBackend.scala
+++ b/core/src/main/scala/org/apache/spark/executor/CoarseGrainedExecutorBackend.scala
@@ -87,7 +87,9 @@ private[spark] class CoarseGrainedExecutorBackend(
 
     logInfo("Connecting to driver: " + driverUrl)
     try {
-      val shuffleClientTransportConf = SparkTransportConf.fromSparkConf(env.conf, "shuffle")
+      val securityManager = new SecurityManager(env.conf)
+      val shuffleClientTransportConf = SparkTransportConf.fromSparkConfWithSslOptions(
+        env.conf, "shuffle", sslOptions = Some(securityManager.getSSLOptions("rpc")))
       if (NettyUtils.preferDirectBufs(shuffleClientTransportConf) &&
           PlatformDependent.maxDirectMemory() < env.conf.get(MAX_REMOTE_BLOCK_SIZE_FETCH_TO_MEM)) {
         throw new SparkException(s"Netty direct memory should at least be bigger than " +
diff --git a/core/src/main/scala/org/apache/spark/network/netty/NettyBlockTransferService.scala b/core/src/main/scala/org/apache/spark/network/netty/NettyBlockTransferService.scala
index 2bd7be8ebd9bd..83f09e47accd7 100644
--- a/core/src/main/scala/org/apache/spark/network/netty/NettyBlockTransferService.scala
+++ b/core/src/main/scala/org/apache/spark/network/netty/NettyBlockTransferService.scala
@@ -70,7 +70,11 @@ private[spark] class NettyBlockTransferService(
     val rpcHandler = new NettyBlockRpcServer(conf.getAppId, serializer, blockDataManager)
     var serverBootstrap: Option[TransportServerBootstrap] = None
     var clientBootstrap: Option[TransportClientBootstrap] = None
-    this.transportConf = SparkTransportConf.fromSparkConf(conf, "shuffle", numCores)
+    this.transportConf = SparkTransportConf.fromSparkConfWithSslOptions(
+      conf,
+      "shuffle",
+      numCores,
+      sslOptions = Some(securityManager.getSSLOptions("rpc")))
     if (authEnabled) {
       serverBootstrap = Some(new AuthServerBootstrap(transportConf, securityManager))
       clientBootstrap = Some(new AuthClientBootstrap(transportConf, conf.getAppId, securityManager))
diff --git a/core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala b/core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala
index c9103045260f2..aedb8802f91d7 100644
--- a/core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala
+++ b/core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala
@@ -19,7 +19,7 @@ package org.apache.spark.network.netty
 
 import scala.collection.JavaConverters._
 
-import org.apache.spark.SparkConf
+import org.apache.spark.{SparkConf, SSLOptions}
 import org.apache.spark.network.util.{ConfigProvider, NettyUtils, TransportConf}
 
 /**
@@ -29,6 +29,24 @@ import org.apache.spark.network.util.{ConfigProvider, NettyUtils, TransportConf}
  */
 object SparkTransportConf {
 
+  /**
+   * Utility for creating a [[TransportConf]] from a [[SparkConf]].
+   * @param _conf          the [[SparkConf]]
+   * @param module         the module name
+   * @param numUsableCores if nonzero, this will restrict the server and client threads to only
+   *                       use the given number of cores, rather than all of the machine's cores.
+   *                       This restriction will only occur if these properties are not already set.
+   * @param role           optional role, could be driver, executor, worker and master. Default is
+   *                       [[None]], means no role specific configurations.
+   */
+  def fromSparkConf(
+      _conf: SparkConf,
+      module: String,
+      numUsableCores: Int = 0,
+      role: Option[String] = None): TransportConf = {
+    SparkTransportConf.fromSparkConfWithSslOptions(
+      _conf, module, numUsableCores, role, sslOptions = None)
+  }
   /**
    * Utility for creating a [[TransportConf]] from a [[SparkConf]].
    * @param _conf the [[SparkConf]]
@@ -38,12 +56,14 @@ object SparkTransportConf {
    *                       This restriction will only occur if these properties are not already set.
    * @param role           optional role, could be driver, executor, worker and master. Default is
    *                      [[None]], means no role specific configurations.
+   * @param sslOptions SSL config options
    */
-  def fromSparkConf(
+  def fromSparkConfWithSslOptions(
       _conf: SparkConf,
       module: String,
       numUsableCores: Int = 0,
-      role: Option[String] = None): TransportConf = {
+      role: Option[String] = None,
+      sslOptions: Option[SSLOptions]): TransportConf = {
     val conf = _conf.clone
     // specify default thread configuration based on our JVM's allocation of cores (rather than
     // necessarily assuming we have all the machine's cores).
@@ -57,12 +77,14 @@ object SparkTransportConf {
       conf.set(s"spark.$module.io.$suffix", value)
     }
 
-    new TransportConf(module, new ConfigProvider {
+    val configProvider = sslOptions.map(_.createConfigProvider(conf)).getOrElse({
+      new ConfigProvider {
       override def get(name: String): String = conf.get(name)
       override def get(name: String, defaultValue: String): String = conf.get(name, defaultValue)
       override def getAll(): java.lang.Iterable[java.util.Map.Entry[String, String]] = {
         conf.getAll.toMap.asJava.entrySet()
       }
-    })
+    }})
+    new TransportConf(module, configProvider)
   }
 }
diff --git a/core/src/main/scala/org/apache/spark/rpc/netty/NettyRpcEnv.scala b/core/src/main/scala/org/apache/spark/rpc/netty/NettyRpcEnv.scala
index 464b6cbc6b0a6..a035de3cf816c 100644
--- a/core/src/main/scala/org/apache/spark/rpc/netty/NettyRpcEnv.scala
+++ b/core/src/main/scala/org/apache/spark/rpc/netty/NettyRpcEnv.scala
@@ -52,11 +52,13 @@ private[netty] class NettyRpcEnv(
     if (id == SparkContext.DRIVER_IDENTIFIER) "driver" else "executor"
   }
 
-  private[netty] val transportConf = SparkTransportConf.fromSparkConf(
+  private[netty] val transportConf = SparkTransportConf.fromSparkConfWithSslOptions(
     conf.clone.set(RPC_IO_NUM_CONNECTIONS_PER_PEER, 1),
     "rpc",
     conf.get(RPC_IO_THREADS).getOrElse(numUsableCores),
-    role)
+    role,
+    sslOptions = Some(securityManager.getSSLOptions("rpc"))
+  )
 
   private val dispatcher: Dispatcher = new Dispatcher(this, numUsableCores)
 
@@ -391,7 +393,11 @@ private[netty] class NettyRpcEnv(
         }
 
         val ioThreads = clone.getInt("spark.files.io.threads", 1)
-        val downloadConf = SparkTransportConf.fromSparkConf(clone, module, ioThreads)
+        val downloadConf = SparkTransportConf.fromSparkConfWithSslOptions(
+          clone,
+          module,
+          ioThreads,
+          sslOptions = Some(securityManager.getSSLOptions("rpc")))
         val downloadContext = new TransportContext(downloadConf, new NoOpRpcHandler(), true)
         fileDownloadFactory = downloadContext.createClientFactory(createClientBootstraps())
       }
diff --git a/core/src/main/scala/org/apache/spark/shuffle/IndexShuffleBlockResolver.scala b/core/src/main/scala/org/apache/spark/shuffle/IndexShuffleBlockResolver.scala
index 919b0f5f7c135..b3238fd32f1d5 100644
--- a/core/src/main/scala/org/apache/spark/shuffle/IndexShuffleBlockResolver.scala
+++ b/core/src/main/scala/org/apache/spark/shuffle/IndexShuffleBlockResolver.scala
@@ -24,7 +24,7 @@ import java.nio.file.Files
 
 import scala.collection.mutable.ArrayBuffer
 
-import org.apache.spark.{SparkConf, SparkEnv, SparkException}
+import org.apache.spark.{SecurityManager, SparkConf, SparkEnv, SparkException}
 import org.apache.spark.errors.SparkCoreErrors
 import org.apache.spark.internal.{config, Logging}
 import org.apache.spark.io.NioBufferedFileInputStream
@@ -58,7 +58,11 @@ private[spark] class IndexShuffleBlockResolver(
 
   private lazy val blockManager = Option(_blockManager).getOrElse(SparkEnv.get.blockManager)
 
-  private val transportConf = SparkTransportConf.fromSparkConf(conf, "shuffle")
+  private val transportConf = {
+    val securityManager = new SecurityManager(conf)
+    SparkTransportConf.fromSparkConfWithSslOptions(
+      conf, "shuffle", sslOptions = Some(securityManager.getSSLOptions("rpc")))
+  }
 
   private val remoteShuffleMaxDisk: Option[Long] =
     conf.get(config.STORAGE_DECOMMISSION_SHUFFLE_MAX_DISK_SIZE)
diff --git a/core/src/main/scala/org/apache/spark/shuffle/ShuffleBlockPusher.scala b/core/src/main/scala/org/apache/spark/shuffle/ShuffleBlockPusher.scala
index ac43ba8b56fc8..8bb3632b051b2 100644
--- a/core/src/main/scala/org/apache/spark/shuffle/ShuffleBlockPusher.scala
+++ b/core/src/main/scala/org/apache/spark/shuffle/ShuffleBlockPusher.scala
@@ -25,7 +25,7 @@ import java.util.concurrent.ExecutorService
 import scala.collection.mutable.{ArrayBuffer, HashMap, HashSet, Queue}
 import scala.util.control.NonFatal
 
-import org.apache.spark.{ShuffleDependency, SparkConf, SparkContext, SparkEnv}
+import org.apache.spark.{SecurityManager, ShuffleDependency, SparkConf, SparkContext, SparkEnv}
 import org.apache.spark.annotation.Since
 import org.apache.spark.executor.{CoarseGrainedExecutorBackend, ExecutorBackend}
 import org.apache.spark.internal.Logging
@@ -108,7 +108,9 @@ private[spark] class ShuffleBlockPusher(conf: SparkConf) extends Logging {
       dep: ShuffleDependency[_, _, _],
       mapIndex: Int): Unit = {
     val numPartitions = dep.partitioner.numPartitions
-    val transportConf = SparkTransportConf.fromSparkConf(conf, "shuffle")
+    val securityManager = new SecurityManager(conf)
+    val transportConf = SparkTransportConf.fromSparkConfWithSslOptions(
+      conf, "shuffle", sslOptions = Some(securityManager.getSSLOptions("rpc")))
     this.shuffleId = dep.shuffleId
     this.shuffleMergeId = dep.shuffleMergeId
     this.mapIndex = mapIndex
diff --git a/core/src/main/scala/org/apache/spark/storage/BlockManager.scala b/core/src/main/scala/org/apache/spark/storage/BlockManager.scala
index 05d57c67576a5..df86097a9e226 100644
--- a/core/src/main/scala/org/apache/spark/storage/BlockManager.scala
+++ b/core/src/main/scala/org/apache/spark/storage/BlockManager.scala
@@ -85,6 +85,13 @@ private[spark] trait BlockData {
    */
   def toNetty(): Object
 
+  /**
+   * Returns a Netty-friendly wrapper for the block's data.
+   *
+   * Please see `ManagedBuffer.convertToNettyForSsl()` for more details.
+   */
+  def toNettyForSsl(): Object
+
   def toChunkedByteBuffer(allocator: Int => ByteBuffer): ChunkedByteBuffer
 
   def toByteBuffer(): ByteBuffer
@@ -103,6 +110,8 @@ private[spark] class ByteBufferBlockData(
 
   override def toNetty(): Object = buffer.toNetty
 
+  override def toNettyForSsl(): AnyRef = buffer.toNettyForSsl
+
   override def toChunkedByteBuffer(allocator: Int => ByteBuffer): ChunkedByteBuffer = {
     buffer.copy(allocator)
   }
@@ -1240,7 +1249,8 @@ private[spark] class BlockManager(
             new EncryptedBlockData(file, blockSize, conf, key))
 
         case _ =>
-          val transportConf = SparkTransportConf.fromSparkConf(conf, "shuffle")
+          val transportConf = SparkTransportConf.fromSparkConfWithSslOptions(
+            conf, "shuffle", sslOptions = Some(securityManager.getSSLOptions("rpc")))
           new FileSegmentManagedBuffer(transportConf, file, 0, file.length)
       }
       Some(managedBuffer)
diff --git a/core/src/main/scala/org/apache/spark/storage/BlockManagerManagedBuffer.scala b/core/src/main/scala/org/apache/spark/storage/BlockManagerManagedBuffer.scala
index 5c12b5cee4d2f..cab11536e1461 100644
--- a/core/src/main/scala/org/apache/spark/storage/BlockManagerManagedBuffer.scala
+++ b/core/src/main/scala/org/apache/spark/storage/BlockManagerManagedBuffer.scala
@@ -51,6 +51,8 @@ private[storage] class BlockManagerManagedBuffer(
 
   override def convertToNetty(): Object = data.toNetty()
 
+  override def convertToNettyForSsl(): Object = data.toNettyForSsl()
+
   override def retain(): ManagedBuffer = {
     refCount.incrementAndGet()
     val locked = blockInfoManager.lockForReading(blockId, blocking = false)
diff --git a/core/src/main/scala/org/apache/spark/storage/DiskStore.scala b/core/src/main/scala/org/apache/spark/storage/DiskStore.scala
index 1cb5adef5f460..54c5d0b2dce71 100644
--- a/core/src/main/scala/org/apache/spark/storage/DiskStore.scala
+++ b/core/src/main/scala/org/apache/spark/storage/DiskStore.scala
@@ -184,6 +184,14 @@ private class DiskBlockData(
   */
   override def toNetty(): AnyRef = new DefaultFileRegion(file, 0, size)
 
+  /**
+   * Returns a Netty-friendly wrapper for the block's data.
+   *
+   * Please see `ManagedBuffer.convertToNettyForSsl()` for more details.
+   */
+  override def toNettyForSsl(): AnyRef =
+    toChunkedByteBuffer(ByteBuffer.allocate).toNettyForSsl
+
   override def toChunkedByteBuffer(allocator: (Int) => ByteBuffer): ChunkedByteBuffer = {
     Utils.tryWithResource(open()) { channel =>
       var remaining = blockSize
@@ -234,6 +242,9 @@ private[spark] class EncryptedBlockData(
 
   override def toNetty(): Object = new ReadableChannelFileRegion(open(), blockSize)
 
+  override def toNettyForSsl(): AnyRef =
+    toChunkedByteBuffer(ByteBuffer.allocate).toNettyForSsl
+
   override def toChunkedByteBuffer(allocator: Int => ByteBuffer): ChunkedByteBuffer = {
     val source = open()
     try {
@@ -297,6 +308,8 @@ private[spark] class EncryptedManagedBuffer(
 
   override def convertToNetty(): AnyRef = blockData.toNetty()
 
+  override def convertToNettyForSsl(): AnyRef = blockData.toNettyForSsl()
+
   override def createInputStream(): InputStream = blockData.toInputStream()
 
   override def retain(): ManagedBuffer = this
diff --git a/core/src/main/scala/org/apache/spark/util/io/ChunkedByteBuffer.scala b/core/src/main/scala/org/apache/spark/util/io/ChunkedByteBuffer.scala
index 73e4e72cc5bde..88bd117ba22bf 100644
--- a/core/src/main/scala/org/apache/spark/util/io/ChunkedByteBuffer.scala
+++ b/core/src/main/scala/org/apache/spark/util/io/ChunkedByteBuffer.scala
@@ -23,6 +23,7 @@ import java.nio.channels.WritableByteChannel
 
 import com.google.common.io.ByteStreams
 import com.google.common.primitives.UnsignedBytes
+import io.netty.handler.stream.ChunkedStream
 import org.apache.commons.io.IOUtils
 
 import org.apache.spark.SparkEnv
@@ -131,6 +132,14 @@ private[spark] class ChunkedByteBuffer(var chunks: Array[ByteBuffer]) extends Ex
     new ChunkedByteBufferFileRegion(this, bufferWriteChunkSize)
   }
 
+  /**
+   * Wrap this in a ChunkedStream which allows us to provide the data in a manner
+   * compatible with SSL encryption
+   */
+  def toNettyForSsl: ChunkedStream = {
+    new ChunkedStream(toInputStream(), bufferWriteChunkSize)
+  }
+
   /**
    * Copy this buffer into a new byte array.
    *
@@ -284,6 +293,17 @@ private[spark] class ChunkedByteBufferInputStream(
     }
   }
 
+  override def available(): Int = {
+    if (currentChunk != null && !currentChunk.hasRemaining && chunks.hasNext) {
+      currentChunk = chunks.next()
+    }
+    if (currentChunk != null && currentChunk.hasRemaining) {
+      currentChunk.remaining
+    } else {
+      0
+    }
+  }
+
   override def read(): Int = {
     if (currentChunk != null && !currentChunk.hasRemaining && chunks.hasNext) {
       currentChunk = chunks.next()
diff --git a/core/src/test/resources/certchain.pem b/core/src/test/resources/certchain.pem
new file mode 100644
index 0000000000000..1004cacc9bf9a
--- /dev/null
+++ b/core/src/test/resources/certchain.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAZgCCQD7yXTHZWZZlDANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0EwHhcNMjMwNjIwMTczMjAzWhcNMzMwNjE3MTczMjAzWjAa
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDH4DO8IP/7xZgpzmYrBaqzsnpamq54cXP8JdQUOXP/dmh8myGg
+CUau/nNdpPNr1Od2iUvf1Z9OW+KcHdNAL/zcwe1ehU3d6/M+UinDtfbEb4HSyQ31
+9AIlPSUq+pJAlsAGJYERLGHPBNXEay0r0+TR0cd9CfSN79rXUMag40pZC3zdxXmY
+JpSkhNuiYfa+Z9TgXoki5MzNiyH12gAb9tO8tr55BnE5s/QujOp7LMjlf6VkE7Bp
+hqj1UbcHmFw7U9jyLDfi98uIvlEDFCwXARdmLxxaYAOqdgZ3TtjBvbugVRpRFQiw
+haFzkiok9bh+MclKQBKvF0ArHmMLHkcCd5oPAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBADYIPLwlnuH6rTbkjeZFYC2UXjNesbUe1TXbsBo9DDHJUSFjNNDDAUpSzhxb
+q6nMvex7tnTvTjAgOQR/qwAueAfcXHWe0EKvn4Y6yJERepSsYg5bSYBt+UJxW89R
+JRLmzBFxEJy1YhsqGCh+I2wRoRz8ZGokDyqcrAlwlzXYVDfNC4wUo14Cm+s90yc3
+2I/roX/MWec8QbEbr25psAYVnRdUL1mzCeQMc83A8Y0SDPfF5ECFhvFXkVaDTULO
+RddXWJoC4K5RuGa6yvpb75I8VTE3fwE2ykSgPuMShNZREDCuszkpPjjFumq9pCOJ
+nUO1huCqjxC1ehPe/9/jgmzoVX4=
+-----END CERTIFICATE-----
diff --git a/core/src/test/resources/key.pem b/core/src/test/resources/key.pem
new file mode 100644
index 0000000000000..77122755bfdaf
--- /dev/null
+++ b/core/src/test/resources/key.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQIGBIe7ugOgfACAggABIIEyJgkzYc/ixcvwLJC
+eTzGOVwk+F1cqM4H63FOxIjroaxisceqoBmty6Rf4PJ1C9nprkSs6G/SkupbNUUB
+YiWmsQ91orllbHsczAc+qaa0tmommwgt27ZrfXdXBxDB0mJWQTijkVHWfyTqcXmC
+oeWlvTFsilA4CoVakryZQScl3qH/aN5zazg9gjx2xNCRwFexeccC7TqICJkPtnJC
++6wrSby2A9HlJs/MdtYyhfN360GDKvQygnw+wQj+san8EV5s7I7b45SsdEx5vOxP
++AKc6h7loWJkLrJFqDGtfqY/TY76t+sQpinS7R3sA4uYaT1bIx8Feu0GcIbnr3NS
+54St9hNfOgEDmWKFj0ZmMTEISOujj8hNTKYdc0Z/dx/+izqNCuLEXiJjLDIPxfRJ
+EfeYG0/4fBxdeZgIwIVVsUXX4eSzXhguuiwulNhRkUzKhH9aNrp1fw5t0hgsJOPx
+O8Y2sAtDL6KUHx+rt0ejrHYXK1+BOUCHcZiHCGmLCCQlrcX5TWDYPkhtrbtbxS6m
+p9aVxq7pcyxelVlUBXtWeYvcOHGueEd7QQL16uYbhrTHFIwx2Pw//LNIgyJTBNu7
+hxm2jica15PaALtSsYDRhsE9VkWawW9AXeBWOnEj7YKrT5ejrQLI9eCxtolRbVNd
+gSR5r7MQkPssjCU+pdsCl98e0mxVnq8eMDtZYSIDGLEyPfJNCsxDanzUuxSfBP8K
+cIDzREINA/QiuhyGxxBB8dR6k+kl1LNVy8FA7RYAe84MLW2wuaFMQirMDtTLo/Wt
+/AatxW4WKlCvfd/nC8O5xlzmF5qffhgmS8xYDL/w1G3Uxo21dA4gGipH9uw91wqi
+YaSidtcVs6JbHpUddmO5AiEiSBbbwqNgaOxNdur1WYWZHDNWvCKL9sqQy/HtDLHy
+Tzyuw8GtrpB2BKfWWwbAApqvjcqgjitEXk2Nw/L3qWfWmVStP9ys5rz27UWRhMFi
+Go/HrVh7heOxK16ei5tp2OyRLSfDBZ7+IlpbbnR26BPdBE08cuBo/ELOfifnYTTS
+V4CKLMiG7RxtdAddkFKO+GgNW1nNHppBBhJzDvuBcFuUfB+AdnymZTlA8RFha7aW
+zwtg6I1ABdMGPn+wzMhkkutDtSCWpkBRddJPcB1mwmRdp/2WC3NxuaMQX3anQG36
+9m2sxWUmT8ZLGvFDHIwGbRPT5zzcvIJV/xhZdCxhg/7tgLikBZBB8TmtDBck+wq+
+DPIEQkr4rObCi9xphSpHvPBGhdI5v8xbKEGLcPzVMW0hjaHouvQipEXC+ASrn/sG
+nytZkyt1DD8KG27wlcrDl/RDCcjNvlKkgKPme3pPsDcD+qX+eqjQ4OM9AexW+VLZ
+ZUa84/Fh6yjbuPF3vtCVRwFJURzhKMVG3Fcs7C3iczCOUNDOar9k0yCrmbACF9Wm
+kSD5lXPXe1fFq0xi21Isuz+FH4A5CR/tHc2i+avQhYs9FvaqzLiaNmLaZKrhX5uy
+dJXYtLruhgwBjv4eo6GXm8/WHFG6r4iaq6NEimQoT41MH+uJr9nAiBWg397JoHpG
+jheCZDpZBAVuEz8NUdWP7mu64DQsjKeY6okwMlXlcSUKlMnx8QCtEMTj/JF7E7dT
+bHYe30+OIWl3X88v9Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/core/src/test/scala/org/apache/spark/ExternalShuffleServiceSuite.scala b/core/src/test/scala/org/apache/spark/ExternalShuffleServiceSuite.scala
index 1d1bb9e9eee8a..f0a63247e64b1 100644
--- a/core/src/test/scala/org/apache/spark/ExternalShuffleServiceSuite.scala
+++ b/core/src/test/scala/org/apache/spark/ExternalShuffleServiceSuite.scala
@@ -49,8 +49,7 @@ class ExternalShuffleServiceSuite extends ShuffleSuite with BeforeAndAfterAll wi
   var transportContext: TransportContext = _
   var rpcHandler: ExternalBlockHandler = _
 
-  override def beforeAll(): Unit = {
-    super.beforeAll()
+  protected def initializeHandlers(): Unit = {
     val transportConf = SparkTransportConf.fromSparkConf(conf, "shuffle", numUsableCores = 2)
     rpcHandler = new ExternalBlockHandler(transportConf, null)
     transportContext = new TransportContext(transportConf, rpcHandler)
@@ -61,6 +60,11 @@ class ExternalShuffleServiceSuite extends ShuffleSuite with BeforeAndAfterAll wi
     conf.set(config.SHUFFLE_SERVICE_PORT, server.getPort)
   }
 
+  override def beforeAll(): Unit = {
+    super.beforeAll()
+    initializeHandlers()
+  }
+
   override def afterAll(): Unit = {
     Utils.tryLogNonFatalError{
       server.close()
diff --git a/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala b/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala
index 81bc4ae9da02f..1357fc8bda3c3 100644
--- a/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala
+++ b/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala
@@ -31,6 +31,8 @@ class SSLOptionsSuite extends SparkFunSuite {
   test("test resolving property file as spark conf ") {
     val keyStorePath = new File(this.getClass.getResource("/keystore").toURI).getAbsolutePath
     val trustStorePath = new File(this.getClass.getResource("/truststore").toURI).getAbsolutePath
+    val privateKeyPath = new File(this.getClass.getResource("/key.pem").toURI).getAbsolutePath
+    val certChainPath = new File(this.getClass.getResource("/certchain.pem").toURI).getAbsolutePath
 
     // Pick two cipher suites that the provider knows about
     val sslContext = SSLContext.getInstance("TLSv1.2")
@@ -47,8 +49,13 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.keyStore", keyStorePath)
     conf.set("spark.ssl.keyStorePassword", "password")
     conf.set("spark.ssl.keyPassword", "password")
+    conf.set("spark.ssl.privateKey", privateKeyPath)
+    conf.set("spark.ssl.certChain", certChainPath)
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
+    conf.set("spark.ssl.trustStoreReloadingEnabled", "false")
+    conf.set("spark.ssl.trustStoreReloadInterval", "10000")
+    conf.set("spark.ssl.openSslEnabled", "false")
     conf.set("spark.ssl.enabledAlgorithms", algorithms.mkString(","))
     conf.set("spark.ssl.protocol", "TLSv1.2")
 
@@ -62,7 +69,16 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.keyStore.get.getName === "keystore")
     assert(opts.keyStore.get.getAbsolutePath === keyStorePath)
     assert(opts.trustStorePassword === Some("password"))
+    assert(opts.trustStoreReloadingEnabled === false)
+    assert(opts.trustStoreReloadInterval === 10000)
+    assert(opts.privateKey.isDefined === true)
+    assert(opts.privateKey.get.getName === "key.pem")
+    assert(opts.privateKey.get.getAbsolutePath === privateKeyPath)
+    assert(opts.certChain.isDefined === true)
+    assert(opts.certChain.get.getName === "certchain.pem")
+    assert(opts.certChain.get.getAbsolutePath === certChainPath)
     assert(opts.keyStorePassword === Some("password"))
+    assert(opts.openSslEnabled === false)
     assert(opts.keyPassword === Some("password"))
     assert(opts.protocol === Some("TLSv1.2"))
     assert(opts.enabledAlgorithms === algorithms)
@@ -71,6 +87,8 @@ class SSLOptionsSuite extends SparkFunSuite {
   test("test resolving property with defaults specified ") {
     val keyStorePath = new File(this.getClass.getResource("/keystore").toURI).getAbsolutePath
     val trustStorePath = new File(this.getClass.getResource("/truststore").toURI).getAbsolutePath
+    val privateKeyPath = new File(this.getClass.getResource("/key.pem").toURI).getAbsolutePath
+    val certChainPath = new File(this.getClass.getResource("/certchain.pem").toURI).getAbsolutePath
 
     val conf = new SparkConf
     val hadoopConf = new Configuration()
@@ -78,8 +96,13 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.keyStore", keyStorePath)
     conf.set("spark.ssl.keyStorePassword", "password")
     conf.set("spark.ssl.keyPassword", "password")
+    conf.set("spark.ssl.privateKey", privateKeyPath)
+    conf.set("spark.ssl.certChain", certChainPath)
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
+    conf.set("spark.ssl.trustStoreReloadingEnabled", "false")
+    conf.set("spark.ssl.trustStoreReloadInterval", "10000")
+    conf.set("spark.ssl.openSslEnabled", "false")
     conf.set("spark.ssl.enabledAlgorithms",
       "TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA")
     conf.set("spark.ssl.protocol", "SSLv3")
@@ -91,12 +114,22 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.trustStore.isDefined)
     assert(opts.trustStore.get.getName === "truststore")
     assert(opts.trustStore.get.getAbsolutePath === trustStorePath)
+    assert(opts.privateKey.isDefined === true)
+    assert(opts.privateKey.get.getName === "key.pem")
+    assert(opts.privateKey.get.getAbsolutePath === privateKeyPath)
+    assert(opts.certChain.isDefined === true)
+    assert(opts.certChain.get.getName === "certchain.pem")
+    assert(opts.certChain.get.getAbsolutePath === certChainPath)
     assert(opts.keyStore.isDefined)
     assert(opts.keyStore.get.getName === "keystore")
     assert(opts.keyStore.get.getAbsolutePath === keyStorePath)
     assert(opts.trustStorePassword === Some("password"))
     assert(opts.keyStorePassword === Some("password"))
     assert(opts.keyPassword === Some("password"))
+    assert(opts.trustStorePassword === Some("password"))
+    assert(opts.trustStoreReloadingEnabled === false)
+    assert(opts.trustStoreReloadInterval === 10000)
+    assert(opts.openSslEnabled === false)
     assert(opts.protocol === Some("SSLv3"))
     assert(opts.enabledAlgorithms ===
       Set("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"))
@@ -105,6 +138,8 @@ class SSLOptionsSuite extends SparkFunSuite {
   test("test whether defaults can be overridden ") {
     val keyStorePath = new File(this.getClass.getResource("/keystore").toURI).getAbsolutePath
     val trustStorePath = new File(this.getClass.getResource("/truststore").toURI).getAbsolutePath
+    val privateKeyPath = new File(this.getClass.getResource("/key.pem").toURI).getAbsolutePath
+    val certChainPath = new File(this.getClass.getResource("/certchain.pem").toURI).getAbsolutePath
 
     val conf = new SparkConf
     val hadoopConf = new Configuration()
@@ -115,8 +150,13 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.keyStorePassword", "password")
     conf.set("spark.ssl.ui.keyStorePassword", "12345")
     conf.set("spark.ssl.keyPassword", "password")
+    conf.set("spark.ssl.privateKey", privateKeyPath)
+    conf.set("spark.ssl.certChain", certChainPath)
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
+    conf.set("spark.ssl.ui.trustStoreReloadingEnabled", "true")
+    conf.set("spark.ssl.ui.trustStoreReloadInterval", "20000")
+    conf.set("spark.ssl.ui.openSslEnabled", "true")
     conf.set("spark.ssl.enabledAlgorithms",
       "TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA")
     conf.set("spark.ssl.ui.enabledAlgorithms", "ABC, DEF")
@@ -130,16 +170,88 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.trustStore.isDefined)
     assert(opts.trustStore.get.getName === "truststore")
     assert(opts.trustStore.get.getAbsolutePath === trustStorePath)
+    assert(opts.privateKey.isDefined === true)
+    assert(opts.privateKey.get.getName === "key.pem")
+    assert(opts.privateKey.get.getAbsolutePath === privateKeyPath)
+    assert(opts.certChain.isDefined === true)
+    assert(opts.certChain.get.getName === "certchain.pem")
+    assert(opts.certChain.get.getAbsolutePath === certChainPath)
+    assert(opts.keyStore.isDefined)
+    assert(opts.keyStore.get.getName === "keystore")
+    assert(opts.keyStore.get.getAbsolutePath === keyStorePath)
+    assert(opts.trustStorePassword === Some("password"))
+    assert(opts.keyStorePassword === Some("12345"))
+    assert(opts.keyPassword === Some("password"))
+    assert(opts.trustStoreReloadingEnabled === true)
+    assert(opts.trustStoreReloadInterval === 20000)
+    assert(opts.openSslEnabled === true)
+    assert(opts.protocol === Some("SSLv3"))
+    assert(opts.enabledAlgorithms === Set("ABC", "DEF"))
+  }
+
+  test("ensure RPC settings don't get enabled via inheritance ") {
+    val keyStorePath = new File(this.getClass.getResource("/keystore").toURI).getAbsolutePath
+    val trustStorePath = new File(this.getClass.getResource("/truststore").toURI).getAbsolutePath
+    val privateKeyPath = new File(this.getClass.getResource("/key.pem").toURI).getAbsolutePath
+    val certChainPath = new File(this.getClass.getResource("/certchain.pem").toURI).getAbsolutePath
+
+    val conf = new SparkConf
+    val hadoopConf = new Configuration()
+    conf.set("spark.ssl.enabled", "true")
+    conf.set("spark.ssl.rpc.port", "4242")
+    conf.set("spark.ssl.keyStore", keyStorePath)
+    conf.set("spark.ssl.keyStorePassword", "password")
+    conf.set("spark.ssl.rpc.keyStorePassword", "12345")
+    conf.set("spark.ssl.keyPassword", "password")
+    conf.set("spark.ssl.privateKey", privateKeyPath)
+    conf.set("spark.ssl.certChain", certChainPath)
+    conf.set("spark.ssl.trustStore", trustStorePath)
+    conf.set("spark.ssl.trustStorePassword", "password")
+    conf.set("spark.ssl.rpc.trustStoreReloadingEnabled", "true")
+    conf.set("spark.ssl.rpc.trustStoreReloadInterval", "20000")
+    conf.set("spark.ssl.rpc.openSslEnabled", "true")
+    conf.set("spark.ssl.enabledAlgorithms",
+      "TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA")
+    conf.set("spark.ssl.rpc.enabledAlgorithms", "ABC, DEF")
+    conf.set("spark.ssl.protocol", "SSLv3")
+
+    val disabledDefaults = SSLOptions.parse(conf, hadoopConf, "spark.ssl", defaults = None)
+    val disabledOpts = SSLOptions.parse(
+      conf, hadoopConf, "spark.ssl.rpc", defaults = Some(disabledDefaults))
+
+    assert(disabledOpts.enabled === false)
+    assert(disabledOpts.port.isEmpty)
+
+    // Now enable it and test again
+    conf.set("spark.ssl.rpc.enabled", "true")
+    val defaultOpts = SSLOptions.parse(conf, hadoopConf, "spark.ssl", defaults = None)
+    val opts = SSLOptions.parse(conf, hadoopConf, "spark.ssl.rpc", defaults = Some(defaultOpts))
+
+    assert(opts.enabled === true)
+    assert(opts.port === Some(4242))
+    assert(opts.trustStore.isDefined)
+    assert(opts.trustStore.get.getName === "truststore")
+    assert(opts.trustStore.get.getAbsolutePath === trustStorePath)
+    assert(opts.privateKey.isDefined === true)
+    assert(opts.privateKey.get.getName === "key.pem")
+    assert(opts.privateKey.get.getAbsolutePath === privateKeyPath)
+    assert(opts.certChain.isDefined === true)
+    assert(opts.certChain.get.getName === "certchain.pem")
+    assert(opts.certChain.get.getAbsolutePath === certChainPath)
     assert(opts.keyStore.isDefined)
     assert(opts.keyStore.get.getName === "keystore")
     assert(opts.keyStore.get.getAbsolutePath === keyStorePath)
     assert(opts.trustStorePassword === Some("password"))
     assert(opts.keyStorePassword === Some("12345"))
     assert(opts.keyPassword === Some("password"))
+    assert(opts.trustStoreReloadingEnabled === true)
+    assert(opts.trustStoreReloadInterval === 20000)
+    assert(opts.openSslEnabled === true)
     assert(opts.protocol === Some("SSLv3"))
     assert(opts.enabledAlgorithms === Set("ABC", "DEF"))
   }
 
+
   test("SPARK-41719: Skip ssl sub-settings if ssl is disabled") {
     val keyStorePath = new File(this.getClass.getResource("/keystore").toURI).getAbsolutePath
     val conf = new SparkConf
@@ -169,6 +281,21 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.trustStore === Some(new File("val2")))
   }
 
+  test("get passwords from environment") {
+    val conf = new SparkConfWithEnv(Map(
+      SSLOptions.ENV_RPC_SSL_KEY_PASSWORD -> "val1",
+      SSLOptions.ENV_RPC_SSL_KEY_STORE_PASSWORD -> "val2",
+      SSLOptions.ENV_RPC_SSL_TRUST_STORE_PASSWORD -> "val3"))
+    val hadoopConf = new Configuration()
+
+    conf.set("spark.ssl.enabled", "true")
+
+    val opts = SSLOptions.parse(conf, hadoopConf, "spark.ssl", defaults = None)
+    assert(opts.keyPassword === Some("val1"))
+    assert(opts.keyStorePassword === Some("val2"))
+    assert(opts.trustStorePassword === Some("val3"))
+  }
+
   test("get password from Hadoop credential provider") {
     val keyStorePath = new File(this.getClass.getResource("/keystore").toURI).getAbsolutePath
     val trustStorePath = new File(this.getClass.getResource("/truststore").toURI).getAbsolutePath
diff --git a/core/src/test/scala/org/apache/spark/SparkConfSuite.scala b/core/src/test/scala/org/apache/spark/SparkConfSuite.scala
index 75e22e1418b4a..7d2b81f0dad79 100644
--- a/core/src/test/scala/org/apache/spark/SparkConfSuite.scala
+++ b/core/src/test/scala/org/apache/spark/SparkConfSuite.scala
@@ -341,7 +341,7 @@ class SparkConfSuite extends SparkFunSuite with LocalSparkContext with ResetSyst
     }
   }
 
-  test("SPARK-26998: SSL configuration not needed on executors") {
+  test("SPARK-26998: SSL passwords not needed on executors") {
     val conf = new SparkConf(false)
     conf.set("spark.ssl.enabled", "true")
     conf.set("spark.ssl.keyPassword", "password")
@@ -349,7 +349,9 @@ class SparkConfSuite extends SparkFunSuite with LocalSparkContext with ResetSyst
     conf.set("spark.ssl.trustStorePassword", "password")
 
     val filtered = conf.getAll.filter { case (k, _) => SparkConf.isExecutorStartupConf(k) }
-    assert(filtered.isEmpty)
+    // Only the enabled flag should propagate
+    assert(filtered.length == 1)
+    assert(filtered(0)._1 == "spark.ssl.enabled")
   }
 
   test("SPARK-27244 toDebugString redacts sensitive information") {
diff --git a/core/src/test/scala/org/apache/spark/SslExternalShuffleServiceSuite.scala b/core/src/test/scala/org/apache/spark/SslExternalShuffleServiceSuite.scala
new file mode 100644
index 0000000000000..b4753e2090dfe
--- /dev/null
+++ b/core/src/test/scala/org/apache/spark/SslExternalShuffleServiceSuite.scala
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark
+
+import org.apache.spark.deploy.SparkHadoopUtil
+import org.apache.spark.internal.config
+import org.apache.spark.network.TransportContext
+import org.apache.spark.network.netty.SparkTransportConf
+import org.apache.spark.network.shuffle.ExternalBlockHandler
+import org.apache.spark.network.ssl.SslSampleConfigs
+
+
+/**
+ * This suite creates an external shuffle server and routes all shuffle fetches through it.
+ * Note that failures in this suite may arise due to changes in Spark that invalidate expectations
+ * set up in `ExternalShuffleBlockHandler`, such as changing the format of shuffle files or how
+ * we hash files into folders.
+ */
+class SslExternalShuffleServiceSuite extends ExternalShuffleServiceSuite {
+
+  override def initializeHandlers(): Unit = {
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    val hadoopConf = SparkHadoopUtil.get.newConfiguration(conf);
+    // Show that we can successfully inherit options defined in the `spark.ssl` namespace
+    val defaultSslOptions = SSLOptions.parse(conf, hadoopConf, "spark.ssl")
+    val sslOptions = SSLOptions.parse(
+      conf, hadoopConf, "spark.ssl.rpc", defaults = Some(defaultSslOptions))
+    val transportConf = SparkTransportConf.fromSparkConfWithSslOptions(
+      conf, "shuffle", numUsableCores = 2, sslOptions = Some(sslOptions))
+
+    rpcHandler = new ExternalBlockHandler(transportConf, null)
+    transportContext = new TransportContext(transportConf, rpcHandler)
+    server = transportContext.createServer()
+
+    conf.set(config.SHUFFLE_MANAGER, "sort")
+    conf.set(config.SHUFFLE_SERVICE_ENABLED, true)
+    conf.set(config.SHUFFLE_SERVICE_PORT, server.getPort)
+  }
+}
diff --git a/core/src/test/scala/org/apache/spark/SslShuffleNettySuite.scala b/core/src/test/scala/org/apache/spark/SslShuffleNettySuite.scala
new file mode 100644
index 0000000000000..9ab47e3e414b1
--- /dev/null
+++ b/core/src/test/scala/org/apache/spark/SslShuffleNettySuite.scala
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark
+
+import org.apache.spark.network.ssl.SslSampleConfigs
+class SslShuffleNettySuite extends ShuffleNettySuite {
+
+  override def beforeAll(): Unit = {
+    super.beforeAll()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+  }
+}
diff --git a/core/src/test/scala/org/apache/spark/deploy/worker/CommandUtilsSuite.scala b/core/src/test/scala/org/apache/spark/deploy/worker/CommandUtilsSuite.scala
index 28e35bc8183ba..fc67de0f32209 100644
--- a/core/src/test/scala/org/apache/spark/deploy/worker/CommandUtilsSuite.scala
+++ b/core/src/test/scala/org/apache/spark/deploy/worker/CommandUtilsSuite.scala
@@ -21,8 +21,9 @@ import org.scalatest.PrivateMethodTester
 import org.scalatest.matchers.must.Matchers
 import org.scalatest.matchers.should.Matchers._
 
-import org.apache.spark.{SecurityManager, SparkConf, SparkFunSuite}
+import org.apache.spark.{SecurityManager, SparkConf, SparkFunSuite, SSLOptions}
 import org.apache.spark.deploy.Command
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.util.Utils
 
 class CommandUtilsSuite extends SparkFunSuite with Matchers with PrivateMethodTester {
@@ -68,4 +69,30 @@ class CommandUtilsSuite extends SparkFunSuite with Matchers with PrivateMethodTe
     assert(!cmd.javaOpts.exists(_.startsWith("-D" + SecurityManager.SPARK_AUTH_SECRET_CONF)))
     assert(cmd.environment(SecurityManager.ENV_AUTH_SECRET) === secret)
   }
+
+  test("SSL RPC passwords shouldn't appear in java opts") {
+    val buildLocalCommand = PrivateMethod[Command](Symbol("buildLocalCommand"))
+    val conf = new SparkConf
+    conf.set("spark.ssl.rpc.enabled", "true")
+
+    // This sets passwords
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMapForRpcNamespace()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+
+    val secret = "This is the secret sauce"
+    val command = Command("mainClass", Seq(), Map(), Seq(), Seq("lib"),
+      SSLOptions.SPARK_RPC_SSL_PASSWORD_FIELDS.map(
+        field => "-D" + field + "=" + secret
+      ))
+
+    conf.set(SecurityManager.SPARK_AUTH_CONF, "true")
+    val cmd = CommandUtils invokePrivate buildLocalCommand(
+      command, new SecurityManager(conf), (t: String) => t, Seq(), Map())
+    SSLOptions.SPARK_RPC_SSL_PASSWORD_FIELDS.foreach(
+      field => assert(!cmd.javaOpts.exists(_.startsWith("-D" + field)))
+    )
+    SSLOptions.SPARK_RPC_SSL_PASSWORD_ENVS.foreach(
+      env => assert(cmd.environment(env) === "password")
+    )
+  }
 }
diff --git a/core/src/test/scala/org/apache/spark/executor/CoarseGrainedExecutorBackendSuite.scala b/core/src/test/scala/org/apache/spark/executor/CoarseGrainedExecutorBackendSuite.scala
index 0dcc7c7f9b4cf..3b7177f70231d 100644
--- a/core/src/test/scala/org/apache/spark/executor/CoarseGrainedExecutorBackendSuite.scala
+++ b/core/src/test/scala/org/apache/spark/executor/CoarseGrainedExecutorBackendSuite.scala
@@ -38,6 +38,7 @@ import org.apache.spark._
 import org.apache.spark.TestUtils._
 import org.apache.spark.api.plugin.{DriverPlugin, ExecutorPlugin, PluginContext, SparkPlugin}
 import org.apache.spark.internal.config.PLUGINS
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.resource._
 import org.apache.spark.resource.ResourceUtils._
 import org.apache.spark.resource.TestResourceIDs._
@@ -52,8 +53,12 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
 
   implicit val formats = DefaultFormats
 
+  def createSparkConf(): SparkConf = {
+    new SparkConf()
+  }
+
   test("parsing no resources") {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     val resourceProfile = ResourceProfile.getOrCreateDefaultProfile(conf)
     val serializer = new JavaSerializer(conf)
     val env = createMockEnv(conf, serializer)
@@ -75,7 +80,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
   }
 
   test("parsing one resource") {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     conf.set(EXECUTOR_GPU_ID.amountConf, "2")
     val serializer = new JavaSerializer(conf)
     val env = createMockEnv(conf, serializer)
@@ -100,11 +105,11 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
     val ereqs = new ExecutorResourceRequests().resource(GPU, 2)
     ereqs.resource(FPGA, 3)
     val rp = rpBuilder.require(ereqs).build
-    testParsingMultipleResources(new SparkConf, rp)
+    testParsingMultipleResources(createSparkConf(), rp)
   }
 
   test("parsing multiple resources") {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     conf.set(EXECUTOR_GPU_ID.amountConf, "2")
     conf.set(EXECUTOR_FPGA_ID.amountConf, "3")
     testParsingMultipleResources(conf, ResourceProfile.getOrCreateDefaultProfile(conf))
@@ -136,7 +141,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
   }
 
   test("error checking parsing resources and executor and task configs") {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     conf.set(EXECUTOR_GPU_ID.amountConf, "2")
     val serializer = new JavaSerializer(conf)
     val env = createMockEnv(conf, serializer)
@@ -178,11 +183,11 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
     val ereqs = new ExecutorResourceRequests().resource(GPU, 4)
     val treqs = new TaskResourceRequests().resource(GPU, 1)
     val rp = rpBuilder.require(ereqs).require(treqs).build
-    testExecutorResourceFoundLessThanRequired(new SparkConf, rp)
+    testExecutorResourceFoundLessThanRequired(createSparkConf(), rp)
   }
 
   test("executor resource found less than required") {
-    val conf = new SparkConf()
+    val conf = createSparkConf()
     conf.set(EXECUTOR_GPU_ID.amountConf, "4")
     conf.set(TASK_GPU_ID.amountConf, "1")
     testExecutorResourceFoundLessThanRequired(conf, ResourceProfile.getOrCreateDefaultProfile(conf))
@@ -213,7 +218,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
   }
 
   test("use resource discovery") {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     conf.set(EXECUTOR_FPGA_ID.amountConf, "3")
     assume(!(Utils.isWindows))
     withTempDir { dir =>
@@ -246,7 +251,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
       val ereqs = new ExecutorResourceRequests().resource(FPGA, 3, scriptPath)
       ereqs.resource(GPU, 2)
       val rp = rpBuilder.require(ereqs).build
-      allocatedFileAndConfigsResourceDiscoveryTestFpga(dir, new SparkConf, rp)
+      allocatedFileAndConfigsResourceDiscoveryTestFpga(dir, createSparkConf(), rp)
     }
   }
 
@@ -255,7 +260,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
     withTempDir { dir =>
       val scriptPath = createTempScriptWithExpectedOutput(dir, "fpgaDiscoverScript",
         """{"name": "fpga","addresses":["f1", "f2", "f3"]}""")
-      val conf = new SparkConf
+      val conf = createSparkConf()
       conf.set(EXECUTOR_FPGA_ID.amountConf, "3")
       conf.set(EXECUTOR_FPGA_ID.discoveryScriptConf, scriptPath)
       conf.set(EXECUTOR_GPU_ID.amountConf, "2")
@@ -289,7 +294,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
   }
 
   test("track allocated resources by taskId") {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     val securityMgr = new SecurityManager(conf)
     val serializer = new JavaSerializer(conf)
     var backend: CoarseGrainedExecutorBackend = null
@@ -389,7 +394,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
    * being executed in [[Executor.TaskRunner]].
    */
   test(s"Tasks launched should always be cancelled.")  {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     val securityMgr = new SecurityManager(conf)
     val serializer = new JavaSerializer(conf)
     val threadPool = ThreadUtils.newDaemonFixedThreadPool(32, "test-executor")
@@ -478,7 +483,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
    * it has not been launched yet.
    */
   test(s"Tasks not launched should always be cancelled.")  {
-    val conf = new SparkConf
+    val conf = createSparkConf()
     val securityMgr = new SecurityManager(conf)
     val serializer = new JavaSerializer(conf)
     val threadPool = ThreadUtils.newDaemonFixedThreadPool(32, "test-executor")
@@ -567,7 +572,7 @@ class CoarseGrainedExecutorBackendSuite extends SparkFunSuite
    * [[SparkUncaughtExceptionHandler]] and [[Executor]] can exit by itself.
    */
   test("SPARK-40320 Executor should exit when initialization failed for fatal error") {
-    val conf = new SparkConf()
+    val conf = createSparkConf()
       .setMaster("local-cluster[1, 1, 1024]")
       .set(PLUGINS, Seq(classOf[TestFatalErrorPlugin].getName))
       .setAppName("test")
@@ -628,3 +633,14 @@ private class TestErrorExecutorPlugin extends ExecutorPlugin {
     // scalastyle:on throwerror
   }
 }
+
+class SslCoarseGrainedExecutorBackendSuite extends CoarseGrainedExecutorBackendSuite
+  with LocalSparkContext with MockitoSugar {
+
+  override def createSparkConf(): SparkConf = {
+    val conf = super.createSparkConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
diff --git a/core/src/test/scala/org/apache/spark/network/BlockTransferServiceSuite.scala b/core/src/test/scala/org/apache/spark/network/BlockTransferServiceSuite.scala
index d7e4b9166fa04..f9a1b778b4ea9 100644
--- a/core/src/test/scala/org/apache/spark/network/BlockTransferServiceSuite.scala
+++ b/core/src/test/scala/org/apache/spark/network/BlockTransferServiceSuite.scala
@@ -74,6 +74,8 @@ class BlockTransferServiceSuite extends SparkFunSuite with TimeLimits {
               override def release(): ManagedBuffer = this
 
               override def convertToNetty(): AnyRef = null
+
+              override def convertToNettyForSsl(): AnyRef = null
             }
             listener.onBlockFetchSuccess("block-id-unused", badBuffer)
           }
diff --git a/core/src/test/scala/org/apache/spark/network/netty/NettyBlockTransferSecuritySuite.scala b/core/src/test/scala/org/apache/spark/network/netty/NettyBlockTransferSecuritySuite.scala
index 85b05cd5f98fa..65c612ea94ba1 100644
--- a/core/src/test/scala/org/apache/spark/network/netty/NettyBlockTransferSecuritySuite.scala
+++ b/core/src/test/scala/org/apache/spark/network/netty/NettyBlockTransferSecuritySuite.scala
@@ -38,11 +38,20 @@ import org.apache.spark.internal.config.Network
 import org.apache.spark.network.{BlockDataManager, BlockTransferService}
 import org.apache.spark.network.buffer.{ManagedBuffer, NioManagedBuffer}
 import org.apache.spark.network.shuffle.BlockFetchingListener
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.serializer.{JavaSerializer, SerializerManager}
 import org.apache.spark.storage.{BlockId, ShuffleBlockId}
 import org.apache.spark.util.ThreadUtils
 
 class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar with Matchers {
+
+  private def sparkConfWithSsl(): SparkConf = {
+    val conf = new SparkConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+
   test("security default off") {
     val conf = new SparkConf()
       .set("spark.app.id", "app-id")
@@ -52,6 +61,17 @@ class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar wi
     }
   }
 
+  test("ssl with cloned config") {
+    val conf = sparkConfWithSsl()
+      .set("spark.app.id", "app-id")
+    val conf1 = conf.clone
+
+    testConnection(conf, conf1) match {
+      case Success(_) => // expected
+      case Failure(t) => fail(t)
+    }
+  }
+
   test("security on same password") {
     val conf = new SparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
@@ -63,6 +83,17 @@ class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar wi
     }
   }
 
+  test("security on same password with ssl") {
+    val conf = sparkConfWithSsl()
+      .set(NETWORK_AUTH_ENABLED, true)
+      .set(AUTH_SECRET, "good")
+      .set("spark.app.id", "app-id")
+    testConnection(conf, conf) match {
+      case Success(_) => // expected
+      case Failure(t) => fail(t)
+    }
+  }
+
   test("security on mismatch password") {
     val conf0 = new SparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
@@ -75,6 +106,19 @@ class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar wi
     }
   }
 
+  test("security on mismatch password over ssl") {
+    val conf0 = sparkConfWithSsl()
+      .set(NETWORK_AUTH_ENABLED, true)
+      .set(AUTH_SECRET, "good")
+      .set("spark.app.id", "app-id")
+    val conf1 = conf0.clone.set(AUTH_SECRET, "bad")
+    // SSL takes precedence over auth, so this should pass
+    testConnection(conf0, conf1) match {
+      case Failure(t) => fail("Should have passed")
+      case Success(_) =>
+    }
+  }
+
   test("security mismatch auth off on server") {
     val conf0 = new SparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
@@ -87,6 +131,19 @@ class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar wi
     }
   }
 
+  test("security mismatch auth off on server over ssl") {
+    val conf0 = sparkConfWithSsl()
+      .set(NETWORK_AUTH_ENABLED, true)
+      .set(AUTH_SECRET, "good")
+      .set("spark.app.id", "app-id")
+    val conf1 = conf0.clone.set(NETWORK_AUTH_ENABLED, false)
+    // SSL takes precedence over auth, so this should pass
+    testConnection(conf0, conf1) match {
+      case Failure(t) => fail("Should have passed")
+      case Success(_) =>
+    }
+  }
+
   test("security mismatch auth off on client") {
     val conf0 = new SparkConf()
       .set(NETWORK_AUTH_ENABLED, false)
@@ -99,6 +156,19 @@ class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar wi
     }
   }
 
+  test("security mismatch auth off on client over ssl") {
+    val conf0 = sparkConfWithSsl()
+      .set(NETWORK_AUTH_ENABLED, false)
+      .set(AUTH_SECRET, "good")
+      .set("spark.app.id", "app-id")
+    val conf1 = conf0.clone.set(NETWORK_AUTH_ENABLED, true)
+    // SSL takes precedence over auth, so this should pass
+    testConnection(conf0, conf1) match {
+      case Failure(t) => fail("Should have passed")
+      case Success(_) =>
+    }
+  }
+
   test("security with aes encryption") {
     val conf = new SparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
@@ -112,6 +182,19 @@ class NettyBlockTransferSecuritySuite extends SparkFunSuite with MockitoSugar wi
     }
   }
 
+  test("security with aes encryption over ssl") {
+    val conf = sparkConfWithSsl()
+      .set(NETWORK_AUTH_ENABLED, true)
+      .set(AUTH_SECRET, "good")
+      .set("spark.app.id", "app-id")
+      .set(Network.NETWORK_CRYPTO_ENABLED, true)
+      .set(Network.NETWORK_CRYPTO_SASL_FALLBACK, false)
+    testConnection(conf, conf) match {
+      case Success(_) => // expected
+      case Failure(t) => fail(t)
+    }
+  }
+
 
   /**
    * Creates two servers with different configurations and sees if they can talk.
diff --git a/core/src/test/scala/org/apache/spark/rpc/RpcEnvSuite.scala b/core/src/test/scala/org/apache/spark/rpc/RpcEnvSuite.scala
index 6e5eb77322013..7b15bfd705cd6 100644
--- a/core/src/test/scala/org/apache/spark/rpc/RpcEnvSuite.scala
+++ b/core/src/test/scala/org/apache/spark/rpc/RpcEnvSuite.scala
@@ -44,9 +44,13 @@ abstract class RpcEnvSuite extends SparkFunSuite {
 
   var env: RpcEnv = _
 
+  def createSparkConf(): SparkConf = {
+    new SparkConf()
+  }
+
   override def beforeAll(): Unit = {
     super.beforeAll()
-    val conf = new SparkConf()
+    val conf = createSparkConf()
     env = createRpcEnv(conf, "local", 0)
 
     val sparkEnv = mock(classOf[SparkEnv])
@@ -93,7 +97,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", 0, clientMode = true)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
     val rpcEndpointRef = anotherEnv.setupEndpointRef(env.address, "send-remotely")
     try {
@@ -145,7 +149,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", 0, clientMode = true)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
     val rpcEndpointRef = anotherEnv.setupEndpointRef(env.address, "ask-remotely")
     try {
@@ -168,7 +172,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val conf = new SparkConf()
+    val conf = createSparkConf()
     val shortProp = "spark.rpc.short.timeout"
     val anotherEnv = createRpcEnv(conf, "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
@@ -198,7 +202,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val conf = new SparkConf()
+    val conf = createSparkConf()
     val shortProp = "spark.rpc.short.timeout"
     val anotherEnv = createRpcEnv(conf, "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
@@ -467,7 +471,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", 0, clientMode = true)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
     val rpcEndpointRef = anotherEnv.setupEndpointRef(env.address, "sendWithReply-remotely")
     try {
@@ -507,7 +511,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", 0, clientMode = true)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
     val rpcEndpointRef = anotherEnv.setupEndpointRef(env.address, "sendWithReply-remotely-error")
     try {
@@ -556,8 +560,8 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   }
 
   test("network events in sever RpcEnv when another RpcEnv is in server mode") {
-    val serverEnv1 = createRpcEnv(new SparkConf(), "server1", 0, clientMode = false)
-    val serverEnv2 = createRpcEnv(new SparkConf(), "server2", 0, clientMode = false)
+    val serverEnv1 = createRpcEnv(createSparkConf(), "server1", 0, clientMode = false)
+    val serverEnv2 = createRpcEnv(createSparkConf(), "server2", 0, clientMode = false)
     val (_, events) = setupNetworkEndpoint(serverEnv1, "network-events")
     val (serverRef2, _) = setupNetworkEndpoint(serverEnv2, "network-events")
     try {
@@ -585,9 +589,9 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   }
 
   test("network events in sever RpcEnv when another RpcEnv is in client mode") {
-    val serverEnv = createRpcEnv(new SparkConf(), "server", 0, clientMode = false)
+    val serverEnv = createRpcEnv(createSparkConf(), "server", 0, clientMode = false)
     val (serverRef, events) = setupNetworkEndpoint(serverEnv, "network-events")
-    val clientEnv = createRpcEnv(new SparkConf(), "client", 0, clientMode = true)
+    val clientEnv = createRpcEnv(createSparkConf(), "client", 0, clientMode = true)
     try {
       val serverRefInClient = clientEnv.setupEndpointRef(serverRef.address, serverRef.name)
       // Send a message to set up the connection
@@ -615,8 +619,8 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   }
 
   test("network events in client RpcEnv when another RpcEnv is in server mode") {
-    val clientEnv = createRpcEnv(new SparkConf(), "client", 0, clientMode = true)
-    val serverEnv = createRpcEnv(new SparkConf(), "server", 0, clientMode = false)
+    val clientEnv = createRpcEnv(createSparkConf(), "client", 0, clientMode = true)
+    val serverEnv = createRpcEnv(createSparkConf(), "server", 0, clientMode = false)
     val (_, events) = setupNetworkEndpoint(clientEnv, "network-events")
     val (serverRef, _) = setupNetworkEndpoint(serverEnv, "network-events")
     try {
@@ -652,7 +656,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", 0, clientMode = true)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
     val rpcEndpointRef =
       anotherEnv.setupEndpointRef(env.address, "sendWithReply-unserializable-error")
@@ -669,7 +673,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   }
 
   test("port conflict") {
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", env.address.port)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", env.address.port)
     try {
       assert(anotherEnv.address.port != env.address.port)
     } finally {
@@ -729,20 +733,20 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   }
 
   test("send with authentication") {
-    testSend(new SparkConf()
+    testSend(createSparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
       .set(AUTH_SECRET, "good"))
   }
 
   test("send with SASL encryption") {
-    testSend(new SparkConf()
+    testSend(createSparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
       .set(AUTH_SECRET, "good")
       .set(SASL_ENCRYPTION_ENABLED, true))
   }
 
   test("send with AES encryption") {
-    testSend(new SparkConf()
+    testSend(createSparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
       .set(AUTH_SECRET, "good")
       .set(Network.NETWORK_CRYPTO_ENABLED, true)
@@ -750,20 +754,20 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   }
 
   test("ask with authentication") {
-    testAsk(new SparkConf()
+    testAsk(createSparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
       .set(AUTH_SECRET, "good"))
   }
 
   test("ask with SASL encryption") {
-    testAsk(new SparkConf()
+    testAsk(createSparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
       .set(AUTH_SECRET, "good")
       .set(SASL_ENCRYPTION_ENABLED, true))
   }
 
   test("ask with AES encryption") {
-    testAsk(new SparkConf()
+    testAsk(createSparkConf()
       .set(NETWORK_AUTH_ENABLED, true)
       .set(AUTH_SECRET, "good")
       .set(Network.NETWORK_CRYPTO_ENABLED, true)
@@ -861,7 +865,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   test("file server") {
     withTempDir { tempDir =>
       withTempDir { destDir =>
-        val conf = new SparkConf()
+        val conf = createSparkConf()
 
         val file = new File(tempDir, "file")
         Files.write(UUID.randomUUID().toString(), file, UTF_8)
@@ -940,7 +944,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
       }
     })
 
-    val anotherEnv = createRpcEnv(new SparkConf(), "remote", 0)
+    val anotherEnv = createRpcEnv(createSparkConf(), "remote", 0)
     val endpoint = mock(classOf[RpcEndpoint])
     anotherEnv.setupEndpoint("SPARK-14699", endpoint)
 
@@ -960,7 +964,7 @@ abstract class RpcEnvSuite extends SparkFunSuite {
   test("isolated endpoints") {
     val latch = new CountDownLatch(1)
     val singleThreadedEnv = createRpcEnv(
-      new SparkConf().set(Network.RPC_NETTY_DISPATCHER_NUM_THREADS, 1), "singleThread", 0)
+      createSparkConf().set(Network.RPC_NETTY_DISPATCHER_NUM_THREADS, 1), "singleThread", 0)
     try {
       val blockingEndpoint = singleThreadedEnv
         .setupEndpoint("blocking", new IsolatedThreadSafeRpcEndpoint {
diff --git a/core/src/test/scala/org/apache/spark/rpc/netty/NettyRpcEnvSuite.scala b/core/src/test/scala/org/apache/spark/rpc/netty/NettyRpcEnvSuite.scala
index fe6d0db837bda..0c4a4047ae713 100644
--- a/core/src/test/scala/org/apache/spark/rpc/netty/NettyRpcEnvSuite.scala
+++ b/core/src/test/scala/org/apache/spark/rpc/netty/NettyRpcEnvSuite.scala
@@ -26,6 +26,7 @@ import org.scalatestplus.mockito.MockitoSugar
 
 import org.apache.spark._
 import org.apache.spark.network.client.TransportClient
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.rpc._
 import org.apache.spark.util.ThreadUtils
 
@@ -53,7 +54,7 @@ class NettyRpcEnvSuite extends RpcEnvSuite with MockitoSugar with TimeLimits {
   }
 
   test("advertise address different from bind address") {
-    val sparkConf = new SparkConf()
+    val sparkConf = createSparkConf()
     val config = RpcEnvConfig(sparkConf, "test", "localhost", "example.com", 0,
       new SecurityManager(sparkConf), 0, false)
     val env = new NettyRpcEnvFactory().create(config)
@@ -95,7 +96,7 @@ class NettyRpcEnvSuite extends RpcEnvSuite with MockitoSugar with TimeLimits {
 
   test("StackOverflowError should be sent back and Dispatcher should survive") {
     val numUsableCores = 2
-    val conf = new SparkConf
+    val conf = createSparkConf()
     val config = RpcEnvConfig(
       conf,
       "test",
@@ -150,7 +151,7 @@ class NettyRpcEnvSuite extends RpcEnvSuite with MockitoSugar with TimeLimits {
           context.reply(msg)
       }
     })
-    val conf = new SparkConf()
+    val conf = createSparkConf()
     val anotherEnv = createRpcEnv(conf, "remote", 0, clientMode = true)
     // Use anotherEnv to find out the RpcEndpointRef
     val rpcEndpointRef = anotherEnv.setupEndpointRef(env.address, "ask-remotely-server")
@@ -180,3 +181,12 @@ class NettyRpcEnvSuite extends RpcEnvSuite with MockitoSugar with TimeLimits {
     }
   }
 }
+
+class SslNettyRpcEnvSuite extends NettyRpcEnvSuite with MockitoSugar with TimeLimits {
+  override def createSparkConf(): SparkConf = {
+    val conf = super.createSparkConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
diff --git a/core/src/test/scala/org/apache/spark/shuffle/BlockStoreShuffleReaderSuite.scala b/core/src/test/scala/org/apache/spark/shuffle/BlockStoreShuffleReaderSuite.scala
index 56b8e0b6df3fd..9638558e3c930 100644
--- a/core/src/test/scala/org/apache/spark/shuffle/BlockStoreShuffleReaderSuite.scala
+++ b/core/src/test/scala/org/apache/spark/shuffle/BlockStoreShuffleReaderSuite.scala
@@ -43,6 +43,7 @@ class RecordingManagedBuffer(underlyingBuffer: NioManagedBuffer) extends Managed
   override def nioByteBuffer(): ByteBuffer = underlyingBuffer.nioByteBuffer()
   override def createInputStream(): InputStream = underlyingBuffer.createInputStream()
   override def convertToNetty(): AnyRef = underlyingBuffer.convertToNetty()
+  override def convertToNettyForSsl(): AnyRef = underlyingBuffer.convertToNettyForSsl()
 
   override def retain(): ManagedBuffer = {
     callsToRetain += 1
diff --git a/core/src/test/scala/org/apache/spark/shuffle/ShuffleBlockPusherSuite.scala b/core/src/test/scala/org/apache/spark/shuffle/ShuffleBlockPusherSuite.scala
index c8d89625dd833..febcddfef4e01 100644
--- a/core/src/test/scala/org/apache/spark/shuffle/ShuffleBlockPusherSuite.scala
+++ b/core/src/test/scala/org/apache/spark/shuffle/ShuffleBlockPusherSuite.scala
@@ -37,6 +37,7 @@ import org.apache.spark.network.buffer.ManagedBuffer
 import org.apache.spark.network.server.BlockPushNonFatalFailure
 import org.apache.spark.network.server.BlockPushNonFatalFailure.ReturnCode
 import org.apache.spark.network.shuffle.{BlockPushingListener, BlockStoreClient}
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.network.util.TransportConf
 import org.apache.spark.serializer.JavaSerializer
 import org.apache.spark.shuffle.ShuffleBlockPusher.PushRequest
@@ -53,9 +54,13 @@ class ShuffleBlockPusherSuite extends SparkFunSuite {
   private var conf: SparkConf = _
   private var pushedBlocks = new ArrayBuffer[String]
 
+  def createSparkConf(): SparkConf = {
+    new SparkConf(loadDefaults = false)
+  }
+
   override def beforeEach(): Unit = {
     super.beforeEach()
-    conf = new SparkConf(loadDefaults = false)
+    conf = createSparkConf()
     MockitoAnnotations.openMocks(this).close()
     when(dependency.shuffleId).thenReturn(0)
     when(dependency.partitioner).thenReturn(new HashPartitioner(8))
@@ -480,3 +485,12 @@ class ShuffleBlockPusherSuite extends SparkFunSuite {
     }
   }
 }
+
+class SslShuffleBlockPusherSuite extends ShuffleBlockPusherSuite {
+  override def createSparkConf(): SparkConf = {
+    val conf = super.createSparkConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
diff --git a/core/src/test/scala/org/apache/spark/shuffle/sort/IndexShuffleBlockResolverSuite.scala b/core/src/test/scala/org/apache/spark/shuffle/sort/IndexShuffleBlockResolverSuite.scala
index 31b255cff7284..0108bf790ed50 100644
--- a/core/src/test/scala/org/apache/spark/shuffle/sort/IndexShuffleBlockResolverSuite.scala
+++ b/core/src/test/scala/org/apache/spark/shuffle/sort/IndexShuffleBlockResolverSuite.scala
@@ -28,6 +28,7 @@ import org.roaringbitmap.RoaringBitmap
 
 import org.apache.spark.{SparkConf, SparkFunSuite}
 import org.apache.spark.internal.config
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.shuffle.{IndexShuffleBlockResolver, ShuffleBlockInfo}
 import org.apache.spark.storage._
 import org.apache.spark.util.Utils
@@ -37,8 +38,12 @@ class IndexShuffleBlockResolverSuite extends SparkFunSuite {
   @Mock(answer = RETURNS_SMART_NULLS) private var blockManager: BlockManager = _
   @Mock(answer = RETURNS_SMART_NULLS) private var diskBlockManager: DiskBlockManager = _
 
+  def createSparkConf(): SparkConf = {
+    new SparkConf(loadDefaults = false)
+  }
+
   private var tempDir: File = _
-  private val conf: SparkConf = new SparkConf(loadDefaults = false)
+  private val conf: SparkConf = createSparkConf()
   private val appId = "TESTAPP"
 
   override def beforeEach(): Unit = {
@@ -275,3 +280,12 @@ class IndexShuffleBlockResolverSuite extends SparkFunSuite {
     assert(checksumsInMemory === checksumsFromFile)
   }
 }
+
+class SslIndexShuffleBlockResolverSuite extends IndexShuffleBlockResolverSuite {
+  override def createSparkConf(): SparkConf = {
+    val conf = super.createSparkConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
diff --git a/core/src/test/scala/org/apache/spark/storage/BlockManagerReplicationSuite.scala b/core/src/test/scala/org/apache/spark/storage/BlockManagerReplicationSuite.scala
index 38a669bc85744..1fbc900727c4c 100644
--- a/core/src/test/scala/org/apache/spark/storage/BlockManagerReplicationSuite.scala
+++ b/core/src/test/scala/org/apache/spark/storage/BlockManagerReplicationSuite.scala
@@ -50,7 +50,8 @@ trait BlockManagerReplicationBehavior extends SparkFunSuite
   with BeforeAndAfter
   with LocalSparkContext {
 
-  val conf: SparkConf
+  val conf: SparkConf = createConf()
+  protected def createConf(): SparkConf
 
   protected var rpcEnv: RpcEnv = null
   protected var master: BlockManagerMaster = null
@@ -459,15 +460,21 @@ trait BlockManagerReplicationBehavior extends SparkFunSuite
 }
 
 class BlockManagerReplicationSuite extends BlockManagerReplicationBehavior {
-  val conf = new SparkConf(false).set("spark.app.id", "test")
-  conf.set(Kryo.KRYO_SERIALIZER_BUFFER_SIZE.key, "1m")
+  override def createConf(): SparkConf = {
+    new SparkConf(false)
+      .set("spark.app.id", "test")
+      .set(Kryo.KRYO_SERIALIZER_BUFFER_SIZE.key, "1m")
+  }
 }
 
 class BlockManagerProactiveReplicationSuite extends BlockManagerReplicationBehavior {
-  val conf = new SparkConf(false).set("spark.app.id", "test")
-  conf.set(Kryo.KRYO_SERIALIZER_BUFFER_SIZE.key, "1m")
-  conf.set(STORAGE_REPLICATION_PROACTIVE, true)
-  conf.set(STORAGE_EXCEPTION_PIN_LEAK, true)
+  override def createConf(): SparkConf = {
+    new SparkConf(false)
+      .set("spark.app.id", "test")
+      .set(Kryo.KRYO_SERIALIZER_BUFFER_SIZE.key, "1m")
+      .set(STORAGE_REPLICATION_PROACTIVE, true)
+      .set(STORAGE_EXCEPTION_PIN_LEAK, true)
+  }
 
   (2 to 5).foreach { i =>
     test(s"proactive block replication - $i replicas - ${i - 1} block manager deletions") {
@@ -539,14 +546,17 @@ class DummyTopologyMapper(conf: SparkConf) extends TopologyMapper(conf) with Log
 }
 
 class BlockManagerBasicStrategyReplicationSuite extends BlockManagerReplicationBehavior {
-  val conf: SparkConf = new SparkConf(false).set("spark.app.id", "test")
-  conf.set(Kryo.KRYO_SERIALIZER_BUFFER_SIZE.key, "1m")
-  conf.set(
-    STORAGE_REPLICATION_POLICY,
-    classOf[BasicBlockReplicationPolicy].getName)
-  conf.set(
-    STORAGE_REPLICATION_TOPOLOGY_MAPPER,
-    classOf[DummyTopologyMapper].getName)
+  override def createConf(): SparkConf = {
+    new SparkConf(false)
+      .set("spark.app.id", "test")
+      .set(Kryo.KRYO_SERIALIZER_BUFFER_SIZE.key, "1m")
+      .set(
+        STORAGE_REPLICATION_POLICY,
+        classOf[BasicBlockReplicationPolicy].getName)
+      .set(
+        STORAGE_REPLICATION_TOPOLOGY_MAPPER,
+        classOf[DummyTopologyMapper].getName)
+  }
 }
 
 // BlockReplicationPolicy to prioritize BlockManagers based on hostnames
diff --git a/core/src/test/scala/org/apache/spark/storage/SslBlockManagerReplicationSuite.scala b/core/src/test/scala/org/apache/spark/storage/SslBlockManagerReplicationSuite.scala
new file mode 100644
index 0000000000000..2d2b42a3f8e4c
--- /dev/null
+++ b/core/src/test/scala/org/apache/spark/storage/SslBlockManagerReplicationSuite.scala
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.storage
+
+import org.apache.spark.SparkConf
+import org.apache.spark.network.ssl.SslSampleConfigs
+
+class SslBlockManagerReplicationSuite extends BlockManagerReplicationSuite {
+  override def createConf(): SparkConf = {
+    val conf = super.createConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
+
+class SslBlockManagerProactiveReplicationSuite extends BlockManagerProactiveReplicationSuite {
+  override def createConf(): SparkConf = {
+    val conf = super.createConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
+
+class SslBlockManagerBasicStrategyReplicationSuite
+  extends BlockManagerBasicStrategyReplicationSuite {
+  override def createConf(): SparkConf = {
+    val conf = super.createConf()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => conf.set(entry.getKey, entry.getValue))
+    conf
+  }
+}
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 b/dev/deps/spark-deps-hadoop-3-hive-2.3
index 0ea9f076b3b7a..11999cf326cf3 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -195,6 +195,12 @@ netty-common/4.1.96.Final//netty-common-4.1.96.Final.jar
 netty-handler-proxy/4.1.96.Final//netty-handler-proxy-4.1.96.Final.jar
 netty-handler/4.1.96.Final//netty-handler-4.1.96.Final.jar
 netty-resolver/4.1.96.Final//netty-resolver-4.1.96.Final.jar
+netty-tcnative-boringssl-static/2.0.61.Final/linux-aarch_64/netty-tcnative-boringssl-static-2.0.61.Final-linux-aarch_64.jar
+netty-tcnative-boringssl-static/2.0.61.Final/linux-x86_64/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar
+netty-tcnative-boringssl-static/2.0.61.Final/osx-aarch_64/netty-tcnative-boringssl-static-2.0.61.Final-osx-aarch_64.jar
+netty-tcnative-boringssl-static/2.0.61.Final/osx-x86_64/netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar
+netty-tcnative-boringssl-static/2.0.61.Final/windows-x86_64/netty-tcnative-boringssl-static-2.0.61.Final-windows-x86_64.jar
+netty-tcnative-classes/2.0.61.Final//netty-tcnative-classes-2.0.61.Final.jar
 netty-transport-classes-epoll/4.1.96.Final//netty-transport-classes-epoll-4.1.96.Final.jar
 netty-transport-classes-kqueue/4.1.96.Final//netty-transport-classes-kqueue-4.1.96.Final.jar
 netty-transport-native-epoll/4.1.96.Final/linux-aarch_64/netty-transport-native-epoll-4.1.96.Final-linux-aarch_64.jar
diff --git a/docs/security.md b/docs/security.md
index 3c6fd507fec6d..5d273dd39a51e 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -209,6 +209,21 @@ The following table describes the different options available for configuring th
 </tr>
 </table>
 
+## SSL Encryption
+
+Spark supports SSL based encryption for RPC connections. Please refer to the SSL Configuration
+section below to understand how to configure it. The SSL settings are mostly similar across the UI 
+and RPC, however there are a few additional settings which are specific to the RPC implementation.
+The RPC implementation uses Netty under the hood (while the UI uses Jetty), which supports a
+different set of options.
+
+Unlike the other SSL settings for the UI, the RPC SSL is *not* automatically enabled if 
+`spark.ssl.enabled` is set. It must be explicitly enabled, to ensure a safe migration path for users
+upgrading Spark versions.
+
+The SSL encryption support supersedes the authentication and encryption settings mentioned
+earlier. If both are enabled, the SSL settings take precedence and the prior settings will be 
+disabled at runtime, and a warning message will be emitted.
 
 # Local Storage Encryption
 
@@ -437,8 +452,10 @@ application configurations will be ignored.
 Configuration for SSL is organized hierarchically. The user can configure the default SSL settings
 which will be used for all the supported communication protocols unless they are overwritten by
 protocol-specific settings. This way the user can easily provide the common settings for all the
-protocols without disabling the ability to configure each one individually. The following table
-describes the SSL configuration namespaces:
+protocols without disabling the ability to configure each one individually. Note that all settings 
+are inherited this way, *except* for `spark.ssl.rpc.enabled` which must be explicitly set.
+
+The following table describes the SSL configuration namespaces:
 
 <table class="table table-striped">
   <thead>
@@ -466,6 +483,10 @@ describes the SSL configuration namespaces:
     <td><code>spark.ssl.historyServer</code></td>
     <td>History Server Web UI</td>
   </tr>
+  <tr>
+    <td><code>spark.ssl.rpc</code></td>
+    <td>Spark RPC communication</td>
+  </tr>
 </table>
 
 The full breakdown of available SSL options can be found below. The `${ns}` placeholder should be
@@ -489,6 +510,8 @@ replaced with one of the above namespaces.
 
       <br />When not set, the SSL port will be derived from the non-SSL port for the
       same service. A value of "0" will make the service bind to an ephemeral port.
+
+      <br />This setting is not applicable to the `rpc` namespace.
     </td>
   </tr>
   <tr>
@@ -528,7 +551,7 @@ replaced with one of the above namespaces.
   <tr>
     <td><code>${ns}.keyStoreType</code></td>
     <td>JKS</td>
-    <td>The type of the key store.</td>
+    <td>The type of the key store. This setting is not applicable to the `rpc` namespace.</td>
   </tr>
   <tr>
     <td><code>${ns}.protocol</code></td>
@@ -545,7 +568,10 @@ replaced with one of the above namespaces.
   <tr>
     <td><code>${ns}.needClientAuth</code></td>
     <td>false</td>
-    <td>Whether to require client authentication.</td>
+    <td>
+      Whether to require client authentication. This setting is not applicable to the `rpc` 
+      namespace.
+    </td>
   </tr>
   <tr>
     <td><code>${ns}.trustStore</code></td>
@@ -563,7 +589,62 @@ replaced with one of the above namespaces.
   <tr>
     <td><code>${ns}.trustStoreType</code></td>
     <td>JKS</td>
-    <td>The type of the trust store.</td>
+    <td>The type of the trust store. This setting is not applicable to the `rpc` namespace.</td>
+  </tr>
+  <tr>
+    <td><code>${ns}.openSSLEnabled</code></td>
+    <td>JKS</td>
+    <td>
+      Whether to use OpenSSL for cryptographic operations instead of the JDK SSL provider.
+      This setting is only applicable to the `rpc` namespace, and also requires the `certChain`
+      and `privateKey` settings to be set.
+    </td>
+  </tr>
+  <tr>
+    <td><code>${ns}.privateKey</code></td>
+    <td>None</td>
+    <td>
+      Path to the private key file in PEM format. The path can be absolute or relative to the 
+      directory in which the process is started. 
+      This setting is only applicable to the `rpc` namespace, and is required when using the 
+      OpenSSL implementation.
+    </td>
+  </tr>
+  <tr>
+    <td><code>${ns}.certChain</code></td>
+    <td>None</td>
+    <td>
+      Path to the certificate chain file in PEM format. The path can be absolute or relative to the 
+      directory in which the process is started. 
+      This setting is only applicable to the `rpc` namespace, and is required when using the 
+      OpenSSL implementation.
+    </td>
+  </tr>
+  <tr>
+    <td><code>${ns}.trustStoreReloadingEnabled</code></td>
+    <td>None</td>
+    <td>
+      Whether the trust store should be reloaded periodically.
+      This setting is only applicable to the `rpc` namespace.
+    </td>
+  </tr>
+  <tr>
+    <td><code>${ns}.trustStoreReloadInterval</code></td>
+    <td>None</td>
+    <td>
+      The interval at which the trust store should be reloaded (in milliseconds).
+      This setting is only applicable to the `rpc` namespace.
+    </td>
+  </tr>
+  <tr>
+    <td><code>${ns}.dangerouslyFallbackIfKeysNotPresent</code></td>
+    <td>None</td>
+    <td>
+      Whether we should fall back to unencrypted connections if SSL is enabled but the required
+      key files are not present on the file system (instead of throwing a fatal error).
+      This setting is only applicable to the `rpc` namespace. This is a dangerous option and only
+      should be used under exceptional circumstances.
+    </td>
   </tr>
 </table>
 
diff --git a/pom.xml b/pom.xml
index 971cb07ea40ea..8941a2e4639e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -223,6 +223,7 @@
     <bouncycastle.version>1.70</bouncycastle.version>
     <tink.version>1.9.0</tink.version>
     <netty.version>4.1.96.Final</netty.version>
+    <netty-tcnative.version>2.0.61.Final</netty-tcnative.version>
     <!--
     If you are changing Arrow version specification, please check
     ./python/pyspark/sql/pandas/utils.py, and ./python/setup.py too.
@@ -930,6 +931,30 @@
         <version>${netty.version}</version>
         <classifier>osx-x86_64</classifier>
       </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-tcnative-boringssl-static</artifactId>
+        <version>${netty-tcnative.version}</version>
+        <classifier>linux-x86_64</classifier>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-tcnative-boringssl-static</artifactId>
+        <version>${netty-tcnative.version}</version>
+        <classifier>linux-aarch_64</classifier>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-tcnative-boringssl-static</artifactId>
+        <version>${netty-tcnative.version}</version>
+        <classifier>osx-aarch_64</classifier>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-tcnative-boringssl-static</artifactId>
+        <version>${netty-tcnative.version}</version>
+        <classifier>osx-x86_64</classifier>
+      </dependency>
       <!-- Netty End -->
 
       <dependency>
diff --git a/resource-managers/mesos/pom.xml b/resource-managers/mesos/pom.xml
index 29c341f8c3525..e7a7342bf3026 100644
--- a/resource-managers/mesos/pom.xml
+++ b/resource-managers/mesos/pom.xml
@@ -54,6 +54,13 @@
       <type>test-jar</type>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.spark</groupId>
+      <artifactId>spark-network-common_${scala.binary.version}</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
 
     <dependency>
       <groupId>org.apache.mesos</groupId>
diff --git a/resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackend.scala b/resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackend.scala
index e5a6a5f1ef166..063bd6c1770e7 100644
--- a/resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackend.scala
+++ b/resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackend.scala
@@ -172,7 +172,8 @@ private[spark] class MesosCoarseGrainedSchedulerBackend(
   // This method is factored out for testability
   protected def getShuffleClient(): MesosExternalBlockStoreClient = {
     new MesosExternalBlockStoreClient(
-      SparkTransportConf.fromSparkConf(conf, "shuffle"),
+      SparkTransportConf.fromSparkConfWithSslOptions(
+        conf, "shuffle", sslOptions = Some(securityManager.getSSLOptions("rpc"))),
       securityManager,
       securityManager.isAuthenticationEnabled(),
       conf.get(config.SHUFFLE_REGISTRATION_TIMEOUT))
diff --git a/resource-managers/mesos/src/test/resources/certchain.pem b/resource-managers/mesos/src/test/resources/certchain.pem
new file mode 100644
index 0000000000000..1004cacc9bf9a
--- /dev/null
+++ b/resource-managers/mesos/src/test/resources/certchain.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAZgCCQD7yXTHZWZZlDANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0EwHhcNMjMwNjIwMTczMjAzWhcNMzMwNjE3MTczMjAzWjAa
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDH4DO8IP/7xZgpzmYrBaqzsnpamq54cXP8JdQUOXP/dmh8myGg
+CUau/nNdpPNr1Od2iUvf1Z9OW+KcHdNAL/zcwe1ehU3d6/M+UinDtfbEb4HSyQ31
+9AIlPSUq+pJAlsAGJYERLGHPBNXEay0r0+TR0cd9CfSN79rXUMag40pZC3zdxXmY
+JpSkhNuiYfa+Z9TgXoki5MzNiyH12gAb9tO8tr55BnE5s/QujOp7LMjlf6VkE7Bp
+hqj1UbcHmFw7U9jyLDfi98uIvlEDFCwXARdmLxxaYAOqdgZ3TtjBvbugVRpRFQiw
+haFzkiok9bh+MclKQBKvF0ArHmMLHkcCd5oPAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBADYIPLwlnuH6rTbkjeZFYC2UXjNesbUe1TXbsBo9DDHJUSFjNNDDAUpSzhxb
+q6nMvex7tnTvTjAgOQR/qwAueAfcXHWe0EKvn4Y6yJERepSsYg5bSYBt+UJxW89R
+JRLmzBFxEJy1YhsqGCh+I2wRoRz8ZGokDyqcrAlwlzXYVDfNC4wUo14Cm+s90yc3
+2I/roX/MWec8QbEbr25psAYVnRdUL1mzCeQMc83A8Y0SDPfF5ECFhvFXkVaDTULO
+RddXWJoC4K5RuGa6yvpb75I8VTE3fwE2ykSgPuMShNZREDCuszkpPjjFumq9pCOJ
+nUO1huCqjxC1ehPe/9/jgmzoVX4=
+-----END CERTIFICATE-----
diff --git a/resource-managers/mesos/src/test/resources/key.pem b/resource-managers/mesos/src/test/resources/key.pem
new file mode 100644
index 0000000000000..77122755bfdaf
--- /dev/null
+++ b/resource-managers/mesos/src/test/resources/key.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQIGBIe7ugOgfACAggABIIEyJgkzYc/ixcvwLJC
+eTzGOVwk+F1cqM4H63FOxIjroaxisceqoBmty6Rf4PJ1C9nprkSs6G/SkupbNUUB
+YiWmsQ91orllbHsczAc+qaa0tmommwgt27ZrfXdXBxDB0mJWQTijkVHWfyTqcXmC
+oeWlvTFsilA4CoVakryZQScl3qH/aN5zazg9gjx2xNCRwFexeccC7TqICJkPtnJC
++6wrSby2A9HlJs/MdtYyhfN360GDKvQygnw+wQj+san8EV5s7I7b45SsdEx5vOxP
++AKc6h7loWJkLrJFqDGtfqY/TY76t+sQpinS7R3sA4uYaT1bIx8Feu0GcIbnr3NS
+54St9hNfOgEDmWKFj0ZmMTEISOujj8hNTKYdc0Z/dx/+izqNCuLEXiJjLDIPxfRJ
+EfeYG0/4fBxdeZgIwIVVsUXX4eSzXhguuiwulNhRkUzKhH9aNrp1fw5t0hgsJOPx
+O8Y2sAtDL6KUHx+rt0ejrHYXK1+BOUCHcZiHCGmLCCQlrcX5TWDYPkhtrbtbxS6m
+p9aVxq7pcyxelVlUBXtWeYvcOHGueEd7QQL16uYbhrTHFIwx2Pw//LNIgyJTBNu7
+hxm2jica15PaALtSsYDRhsE9VkWawW9AXeBWOnEj7YKrT5ejrQLI9eCxtolRbVNd
+gSR5r7MQkPssjCU+pdsCl98e0mxVnq8eMDtZYSIDGLEyPfJNCsxDanzUuxSfBP8K
+cIDzREINA/QiuhyGxxBB8dR6k+kl1LNVy8FA7RYAe84MLW2wuaFMQirMDtTLo/Wt
+/AatxW4WKlCvfd/nC8O5xlzmF5qffhgmS8xYDL/w1G3Uxo21dA4gGipH9uw91wqi
+YaSidtcVs6JbHpUddmO5AiEiSBbbwqNgaOxNdur1WYWZHDNWvCKL9sqQy/HtDLHy
+Tzyuw8GtrpB2BKfWWwbAApqvjcqgjitEXk2Nw/L3qWfWmVStP9ys5rz27UWRhMFi
+Go/HrVh7heOxK16ei5tp2OyRLSfDBZ7+IlpbbnR26BPdBE08cuBo/ELOfifnYTTS
+V4CKLMiG7RxtdAddkFKO+GgNW1nNHppBBhJzDvuBcFuUfB+AdnymZTlA8RFha7aW
+zwtg6I1ABdMGPn+wzMhkkutDtSCWpkBRddJPcB1mwmRdp/2WC3NxuaMQX3anQG36
+9m2sxWUmT8ZLGvFDHIwGbRPT5zzcvIJV/xhZdCxhg/7tgLikBZBB8TmtDBck+wq+
+DPIEQkr4rObCi9xphSpHvPBGhdI5v8xbKEGLcPzVMW0hjaHouvQipEXC+ASrn/sG
+nytZkyt1DD8KG27wlcrDl/RDCcjNvlKkgKPme3pPsDcD+qX+eqjQ4OM9AexW+VLZ
+ZUa84/Fh6yjbuPF3vtCVRwFJURzhKMVG3Fcs7C3iczCOUNDOar9k0yCrmbACF9Wm
+kSD5lXPXe1fFq0xi21Isuz+FH4A5CR/tHc2i+avQhYs9FvaqzLiaNmLaZKrhX5uy
+dJXYtLruhgwBjv4eo6GXm8/WHFG6r4iaq6NEimQoT41MH+uJr9nAiBWg397JoHpG
+jheCZDpZBAVuEz8NUdWP7mu64DQsjKeY6okwMlXlcSUKlMnx8QCtEMTj/JF7E7dT
+bHYe30+OIWl3X88v9Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/resource-managers/mesos/src/test/resources/keystore b/resource-managers/mesos/src/test/resources/keystore
new file mode 100644
index 0000000000000000000000000000000000000000..f8310e39ba1e07c7559e5724f522c06ca47f5787
GIT binary patch
literal 2247
zcmchYc{J1uAI9f5Gt8i|P1&wBlPn{@Y0#AI+9uMFEKS|9bCt<Vma)doSW;mK$yzZL
zMhPuL63H$jWsTBxE5;02B9g9i&-=dTp40#DAI~4p=dbU1&U2pcrf^dTfk2>J0{)TM
zX}X`!>67%Z@GWAuh_Ft8Kt!M*6TS&bii+!r0&qYVDgyu_5I7UgZ~dLDFFKbbe4NJ>
z8h*OOS9N;OWepcs>OGoE=zuk2V{*wI)Z_e}>Z@^h>_v>&7v=eK%-(UR|F2)6ifSZm
zB{$HW8@=O<)XbNH;_wk=FeM$Bjfx=?s>^D9Zr#6WTzln-!DYFW$=EZVD(3K>jS96w
z-f`E>K|`eE2uJ#EUlg%5TBw+iWJz5iySD{o5{Ul(C)@&^f0t&B->D-6`JH0%@@;s@
zjMngAG004|Ao+Z!S-#o>U%j;FhYZ-6+Sr%89Pdns-=>tD<cjKLOEFw$W`Y7iJ*w@l
z{<)#9NQ_z4oL%jGClKweSk8K2b+MsshLSJE(dK>GRpP7IeZ?->$L-DANQrdWKTa;0
zluk^040v;S@5DL7!>L;M8&vwCZAjLK*vpGqYx~-VYZs+3mb>>RYt{axVJiP>$3Y|}
zz*eB_iPWr6Tc->>lU_2dn3A0UZrr!p`Ly9<<lc^`K}#n@@RG4qeTf{LV8Z^btG&_y
zGFSDwx3u{?r_3fn<t}&jk;8XJ!R)ZkpEIXW!B{Hg%&{rMhKG*OsZqs+<0IiZRN6GG
z)Nyb;BKE6D+i7*x8|9Ch?J#Ckm}fQl?Kn2O$Xu@%qn|o&?<S3kz<ULPf|rby?x3+m
zt+T<2gXj`Y$EU{DK6BrOA6(b#yk#Fn=hp28<eCIEEr<9BMg}yIy^}Wd+_oK`6?C9S
zMLt@$jA)Md@FMcW$CbhxCi!}*U)7IThxXctyouJP1Raj2m{qRMN~*EHdRbL<Hyam5
znJQ!+ZVDv|Vl@xVt+lY96y$tka9lAm!Fzh1h4jS86Kgz4X??d`rro%ME5|hK$qmU_
zYExs4G?_3|W8^}(Tf_(5wZ{fZ1u;XUZ^a&q6d&i`cIQgIo-cmbU<6pY*lQ!Rv-V#K
zb>%d%n&X#yvmACj3LY^dq?e=FaqJ!`fkB(%M!T4bA&bADq%;%h1-L)a{YF#I>*n5;
zXt7P-gtHyc-1yawv9;te^CLkar+P2}c`q>)=Cwt62se##oHtS0qXNZJW*YMjnTYe|
z1W+lZjRJ<oix>NxO-J~$3RTEpZS0TIp!w}_nOBXJ>YGGE1!<NnYgKh^XFog_VFoT$
z`_~*TpS)Ia?ZP@fM8sD2>=AA8t_d9vGYswy&Plo@H7BgF?Rr;IN}~I_OZ5AE?Xc>e
zduB^$Zl^0#&4F^xR^%KivoAj*R)05F<5T{9#!cLae!D`i$@(i5VdKPs;vD6ow-Pa0
zmfi>Du&L;*jI`*2mxHbvy2C)a@EF^M?KmG1vd1J;hO<00q<gYyWYEfRIN1|-F~%X~
z`{Hc?NwSk6swt3?GGNGyHctaA4D>{Ea0+F@!vpWZUoIem_pk7QGFApU$XWEZyP!S$
zy2#@wW_snjaE*mkb%s`~Ur~W0n&f9pXRDv9^a`mg8=d@ECh_CSHJ#du`ah#SxB9W1
z-p<Aj%6OF|2tj234Hxe$GBqPntjPDm(SFo{EAsCUG^i2vjP2B#_GaK`^H-ieT6X(x
zS%jR?E3^~1=gOsS>b!}YxjkPKt*mOLDS3IRD~MerwrgiggePgez$MStIAG30Vaz+z
znP5Kohc09y*(6S=bZ0;6*@CtY{i164xeX%S<NYU9!e#a8FkhEy+Zbu)Rd(?|<0wMj
zV+8JpKwz;T6BY?Fp<dTvPyh;rJ0Bq31W}@5x+!)kt0(}F5P^WFanf6p33G#sq7iO1
zDvcgV`!7NML=Zm_@t=sqPXzWq0;<ZRaE3S#B<#iGK)m6JEo%hgK;!?||MN9WVCTQ%
z*!mVQCLjd?nSeNy2>_5pQfMC@N!nO0wH%Xtuc`Uu_?pnpJ3cKSbR^Nesz@fkeg8K_
zTJ35i8GW{Bgm&Uy_A)8Ar>TC8<!?Hg5>0v~KUm51AD4|t?pz-*InPU(xFwfe7aK@-
z&`sYxAFsV#57|9oUhntf^%Ms6?u7Ik>%Ezi3GO{ccd<h=6x`H>$K+?Z=*8-c9HP#s
zOrXfNhRKwkI)1xzMcTvsXTrA@mGdnR9#$e8BDNj1us(Rjp^I@0JHr=J9h*keYb@4`
zEbRm4_$*5QRieRoP)JDy&5{>VVsBkDRg>0s_n`ei%|c)v!>9n^H~H}eLNotr3B^*=
z{jjq6yqK``^Vn@D41fS-8lW1evegh3Nw^$*J9JmC0%UznnvdunEUWXJm7jB#`FDt0
zo!SZ!fDlyn__i1(A!8e5JfGHGYq#O59PYAPUd^G9FA4GLhdQU@y3_KivZwp9e#sjZ
z1)6E~Py4647bJ-*g&tbSSqXlAo`|VY0-a#1EcqqpmY_MpMl0!c@gNTqd?DPoAC6{F
zX#Czw>93?(`H$;NoCL46jICSrt~xR}wNV^~dn<|;)#U(7hP$oGOzs-~AvLGK&g0zM
zw^?bP=4NGFJ3;N}QsShyk0XSs?LW@9d~Sxj?AVZ{pOtdaJ7!gP>dq$(AFE$ic(QF_
zMtzQi_+9hZzoOnZ-qFt&6a;ssvcmgs))|WiZVphZ+9n#oo9dzuTg|>3rcC)~XD4Ad
ZwPrecI^>>DS9jrYAM6Ze@sCox{su3o&c*-$

literal 0
HcmV?d00001

diff --git a/resource-managers/mesos/src/test/resources/truststore b/resource-managers/mesos/src/test/resources/truststore
new file mode 100644
index 0000000000000000000000000000000000000000..a6b1d46e1f391995553771665934518114892962
GIT binary patch
literal 957
zcmezO_TO6u1_mY|W(3omIr+(nIT`uIB|s66PaJ187+53pObsj<7?`UKnwZNCnwa7j
zFf%bSF|h<%`7Sl!W#iOp^Jx3d%gD&h%3zRVC}6<H#vIDRCd?k1mz|eio(B`*zz|`_
z5aGfQ;l>bQhKm@;iSrto7#bK@7#SNH7@I@^xuyn&24+w$on6z!sDvCGjI0dIO^o~u
z22G4yOihf849&hp=Zrag|9n~Gc#H3$vhv=@pKm=9>UvU(ZZwCjnIky!nB{NDyiMQB
zBZO<_+{laCF!_t`)YJQR{_Ib&x!G3fds+PIs-~1XLS?NdeqFL|Ki_tDnb_pb)#>@(
zTD|J;>oi2PIZoZR+nId!%3~GY`%wb7osA|uXbd}Tx=!cX%NWDQox39rO%?vMzHf?~
z=1swLR-RoC+D>nNbu4gY&$gL|-rloc_5R@2ZL8S5%Xot9o!zH-pDYd6dHL#Xw%@*+
zy&LU+nmT%>zI)Xlb76*?{++DCc`NfA&lk?~bl&)QW6#lb?w*%6eoUWUYC4NO`N6ZZ
z?8-A|%!_eU4)c+*d(ZiH(T7{hnV1<F7#AxV$Q#H4Q-~}dix`Utlj<1>hF?DgUa_CL
zx_EQkYw>r1g2;ggOjE!>WMr_A)k`{P(!x=_M=);x=K055cF6ji^!W09N=!ueTVn;U
z6EA8{^-Nzg`Ng@3($jCUF&@a<x&Ok8Qy=-<zRiwR<9N;eYUXrS8`H*o3s)JwuTz%2
zIZ)=J)^cU;)$=O3oh3;ZScFSs@?M?k?!C-^_|@*s*8Xp<sF^t*)Sls2x_VQ^>e8^o
zyyq)UdNa4Ognk!%pnCm3|2v5#(^qdW|F_DnC)CMo)7|XjC#6>R9=pT-w&U3U_Jbb|
zump?#5z4RO57rKM+MK!exniP|!?*K7M~h9*`B~JdzSntD@o>*t-I;G@<(}y1FS)RE
zvl(0Zzf0L`j^5p4uvCF<+hN<kCT)*XCQokB`M3FKhO0_L)r)TtxgK7R-&#o=x-kg=
DWo>hw

literal 0
HcmV?d00001

diff --git a/resource-managers/mesos/src/test/resources/untrusted-keystore b/resource-managers/mesos/src/test/resources/untrusted-keystore
new file mode 100644
index 0000000000000000000000000000000000000000..6015b02caa12817721fca3a83c8e58338b6d9aeb
GIT binary patch
literal 2246
zcmchYS5VUl7sc~W0)Ye-=~4xxg#Zav3<BbYq7-2TvQiAPfJ;JCiUxxasvxL<St&|0
zfK(+A5Qvn}r37$LK$=LC4og#Hm)ZHgot^Q0AI{9Zzo$EA&YXL&e6S1xfxw3X{uVFE
z&)to5-S1}LAu->8z3~KrxBxU2`W=0g8?MR?KmjE9H~?^gpj7C>T*;?*E%{fv1t#2A
zw<uTn^PFy?W0TjZ)1+so^L_N9y<xMp{xNOW6eBSu`Nw42<<ExjnGwct1$Mo7r)NCW
z4R)nH{$}D!2{>mzrvHqay1&t+Fi_Z+)w1n4H+Y%AMXJ&rSoCSXIQW|Hr+fhOC{~-z
zRlY#ibR-jPTxR#)AT!BEO?ezTUwe>&ocp&K#iX4G4x}&l;Dj))1SC+yocOHP<E%NV
zQS!hQ(?@y!J70d9$&l*}MjR)zQE@36diUMf3NIaHC(m});MI~95!cxDM*0E*OX<t8
z6+7;6EW7OOYSCSs(Fc;H(WGrNbjmdWm`aJbdz>Kcyd#4h$$Ysx{PW2wSrMAGjmd{>
zmZKc2Dyf?4ujwLhFCx*5Hx~U|Z)4cF@ukC(ds5*mRqTjW<hM2lY|#3UYbjq%tYEC}
z)6zbbR9?h@9zN6Q-isG?iyhO}t!wFup!YJS&sOz}VNvIY$<_O~lXGdki4zw$97V7z
zj{Q%wc85NiS}8+F;L-q3@`kvVd&+9S{a;Y5QCY)M@Gh>ZQ!rEzURPjf;fj^#543K+
z!ssm8re)p<nag8a&g6D@cy$#BzNfh{iNP^ENv(UhfUJOT&0nmg1)VC1X(4I`^v{92
z3k3Jp{we-T7b@8t)h{-#iZe(yQbJxh2V?THkdy2wb)z>qzo9BLWxDF++<UKQ4YM95
z#>xd2(u`*)aHlZZpG29)-s8jv^L!<=2n_lp*^DBVw#MvPDYjjU59hk-*=5ySF?<g;
zRZR}u*VtrFx^!Irb^VT6r-I}bKHRkhB>;vN-zN<FFW+8xsyms3dufmD>ZGbmhBK9h
zT^c^=AHxzXuw5SuT_j1a9=(n&J?~VzvG}qlOYj8&6PtlOG82v{Ls5creeldHDY=n}
z6NS98Hi+3%9-T{Nl<}Y`*yL)P*pyGtkkOKUx$aHwg>deSRCRDu3S_Bt*qYqP;^=vW
z>Sial$32p`22-|}%Wtf09n<D{)ynKi|CAtg`udG)&V3iph2We(0~XOCR>6kxR~g&{
z;kf$;?1pyH#legE8IIWJMw1!v9A-Bq$dIyn#d<qpt2oiTwX<Ml2{G@X8vAH<Kyt6E
zGhs*ZA|Ry0xse9hbP1E_>=DTZcOxsMZN<8A29U{XY8FE^^?*t(;Wc9KRLxuFXiP-G
z>e>s*`P%O)W#bh}MOrv+{^3tN%a_tNb9D8h>-eF{WYv1B{AL3=1%=#OJh|?KR$7@~
zM1%siVBJLAn~Pz$VnIy*@}LG*a&*qN<%mI`Z<UYf_s34HcjxuUvS;VglINe;ns&X*
z8mvnYB1(BO5c?10K%$GATJl>Qi8>jN6Bzl5(ULw7YAmA5UoEllgU<Gy!UK`5*>Du`
zAewV|((5eVYOO+`<3sL2d)BS_Mok%KAB6q1*Jc7zF$H5nC_yMo`6_U&c?)aPk4b$z
zk=~H8I#D$8!fS_4;uOVeZ*ca0M>wc+><Xl@Q5P5@@u~GWapDb+i!~YA&5a>X_;202
zht3{zS6QTZ`z}%LI2uqFW?YIRHI*33>s?|kWxkxSkI|mB{+aCe>R$D#3C_eDcm?~4
z04*s~%RJne@gR@YM1zFG)0DX;`R-ZeVAqWJ<toEi7Qfr=Gj?<*^YXvDkqfV`gVqOu
zAfad~Bm_+bU(JSq0WcU!x*ql$`Up2KGR8b+=Li5GxIkzUhX1fJA@)#iL72TS(bq4;
z_y2_F2Lk(nz<(f!9|+_hf|eFNg3-pH(Wf=FFc`G%mBUpBeK`DY{g1Dq0&@Sh<M3HP
zsK7B0nhL<dQ~&@yEJ6f8MqJ)(O0eES5lVrPMwQKeHsbiu&*NdAK&fuG+ieLjGww^X
z*5L-wN@kLApo+kS6^EOXle1^(!XoIQ6yuIk{`I&`>izOR@=|SzH@w)|jt`!(`wOVk
zU(Gc+<B#}9{Q~tL>3x6OSUy2;rv#hrK`;koo{3~F+?Lz<_V{4;1#8arvZ&0V8@AqY
z%gOfdX610i{YAs|(!9Q+SL{EgzRT#t9JFQIGR2S`6VaKXbv2cJ2H)BOR*n|BK8B>J
zu4T{_d4E~Njm&*(N{Lz*K3`qRFrPLYtX(hoRRuEpLT4<dPn48=qGo1;+DR!=`>Gjc
z7p!#ttliZeFa!Vrd9r93wA5ijq>e&GphCV$=V%&Tr1x)APN~~@unO~heb4>d#KTM-
znh1b2&I@^pv~P&tiq}$Qc2}5{Y1K+f=lfqETn=T3E>iK(`_W8&jcZK}2tO)n$}*DS
zW9s~&EeO=mYgrtHq(vr!#h3NAy`7YJ8V0q&`(N)hb2~hoF87PZRGUk~lN{xCT(jsw
z;Yp@T1SAT~KqTCb3a(cP)&1DNK4h=JduK2)s(9XTV?-4(76KO@#|t*-6s2Dl=w}?&
z`IEOv)DCjYr5eow*?MXh8OBgmy;!t>iQ6;NbaZ0pfS*It8}lB6l1(9$AdKemI=5q_
z{7jO%*zS`ZmPK|=YMq+2r-Np*`16dZu!n^|WkFZrL^nhKO<UWS!WwEQf7a-$W)tGG
VOI=$`4oZ<Jmfv_H%^$uo{ueBW-1z_i

literal 0
HcmV?d00001

diff --git a/resource-managers/mesos/src/test/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackendSuite.scala b/resource-managers/mesos/src/test/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackendSuite.scala
index 2b7272a490376..79b65ddd869cc 100644
--- a/resource-managers/mesos/src/test/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackendSuite.scala
+++ b/resource-managers/mesos/src/test/scala/org/apache/spark/scheduler/cluster/mesos/MesosCoarseGrainedSchedulerBackendSuite.scala
@@ -34,6 +34,7 @@ import org.apache.spark.{LocalSparkContext, SecurityManager, SparkConf, SparkCon
 import org.apache.spark.deploy.mesos.{config => mesosConfig}
 import org.apache.spark.internal.config._
 import org.apache.spark.network.shuffle.mesos.MesosExternalBlockStoreClient
+import org.apache.spark.network.ssl.SslSampleConfigs
 import org.apache.spark.resource.ResourceProfile
 import org.apache.spark.rpc.{RpcAddress, RpcEndpointRef}
 import org.apache.spark.scheduler.TaskSchedulerImpl
@@ -46,7 +47,7 @@ class MesosCoarseGrainedSchedulerBackendSuite extends SparkFunSuite
     with BeforeAndAfter
     with ScalaFutures {
 
-  private var sparkConf: SparkConf = _
+  protected var sparkConf: SparkConf = _
   private var driver: SchedulerDriver = _
   private var taskScheduler: TaskSchedulerImpl = _
   private var backend: MesosCoarseGrainedSchedulerBackend = _
@@ -807,7 +808,7 @@ class MesosCoarseGrainedSchedulerBackendSuite extends SparkFunSuite
     backend
   }
 
-  private def initializeSparkConf(
+  protected def initializeSparkConf(
     sparkConfVars: Map[String, String] = null,
     home: String = "/path"): Unit = {
     sparkConf = (new SparkConf)
@@ -841,3 +842,13 @@ class MesosCoarseGrainedSchedulerBackendSuite extends SparkFunSuite
     backend = createSchedulerBackend(taskScheduler, driver, externalShuffleClient)
   }
 }
+
+class SslMesosCoarseGrainedSchedulerBackendSuite extends MesosCoarseGrainedSchedulerBackendSuite {
+  override def initializeSparkConf(
+    sparkConfVars: Map[String, String] = null,
+    home: String = "/path"): Unit = {
+    super.initializeSparkConf(sparkConfVars, home)
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMap()
+    updatedConfigs.entrySet().forEach(entry => sparkConf.set(entry.getKey, entry.getValue))
+  }
+}
diff --git a/resource-managers/yarn/pom.xml b/resource-managers/yarn/pom.xml
index e58ab1ea25050..6071d557b5a56 100644
--- a/resource-managers/yarn/pom.xml
+++ b/resource-managers/yarn/pom.xml
@@ -91,6 +91,13 @@
       <type>test-jar</type>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.spark</groupId>
+      <artifactId>spark-network-common_${scala.binary.version}</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-client-api</artifactId>
diff --git a/resource-managers/yarn/src/test/resources/certchain.pem b/resource-managers/yarn/src/test/resources/certchain.pem
new file mode 100644
index 0000000000000..1004cacc9bf9a
--- /dev/null
+++ b/resource-managers/yarn/src/test/resources/certchain.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAZgCCQD7yXTHZWZZlDANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0EwHhcNMjMwNjIwMTczMjAzWhcNMzMwNjE3MTczMjAzWjAa
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDH4DO8IP/7xZgpzmYrBaqzsnpamq54cXP8JdQUOXP/dmh8myGg
+CUau/nNdpPNr1Od2iUvf1Z9OW+KcHdNAL/zcwe1ehU3d6/M+UinDtfbEb4HSyQ31
+9AIlPSUq+pJAlsAGJYERLGHPBNXEay0r0+TR0cd9CfSN79rXUMag40pZC3zdxXmY
+JpSkhNuiYfa+Z9TgXoki5MzNiyH12gAb9tO8tr55BnE5s/QujOp7LMjlf6VkE7Bp
+hqj1UbcHmFw7U9jyLDfi98uIvlEDFCwXARdmLxxaYAOqdgZ3TtjBvbugVRpRFQiw
+haFzkiok9bh+MclKQBKvF0ArHmMLHkcCd5oPAgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBADYIPLwlnuH6rTbkjeZFYC2UXjNesbUe1TXbsBo9DDHJUSFjNNDDAUpSzhxb
+q6nMvex7tnTvTjAgOQR/qwAueAfcXHWe0EKvn4Y6yJERepSsYg5bSYBt+UJxW89R
+JRLmzBFxEJy1YhsqGCh+I2wRoRz8ZGokDyqcrAlwlzXYVDfNC4wUo14Cm+s90yc3
+2I/roX/MWec8QbEbr25psAYVnRdUL1mzCeQMc83A8Y0SDPfF5ECFhvFXkVaDTULO
+RddXWJoC4K5RuGa6yvpb75I8VTE3fwE2ykSgPuMShNZREDCuszkpPjjFumq9pCOJ
+nUO1huCqjxC1ehPe/9/jgmzoVX4=
+-----END CERTIFICATE-----
diff --git a/resource-managers/yarn/src/test/resources/key.pem b/resource-managers/yarn/src/test/resources/key.pem
new file mode 100644
index 0000000000000..77122755bfdaf
--- /dev/null
+++ b/resource-managers/yarn/src/test/resources/key.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQIGBIe7ugOgfACAggABIIEyJgkzYc/ixcvwLJC
+eTzGOVwk+F1cqM4H63FOxIjroaxisceqoBmty6Rf4PJ1C9nprkSs6G/SkupbNUUB
+YiWmsQ91orllbHsczAc+qaa0tmommwgt27ZrfXdXBxDB0mJWQTijkVHWfyTqcXmC
+oeWlvTFsilA4CoVakryZQScl3qH/aN5zazg9gjx2xNCRwFexeccC7TqICJkPtnJC
++6wrSby2A9HlJs/MdtYyhfN360GDKvQygnw+wQj+san8EV5s7I7b45SsdEx5vOxP
++AKc6h7loWJkLrJFqDGtfqY/TY76t+sQpinS7R3sA4uYaT1bIx8Feu0GcIbnr3NS
+54St9hNfOgEDmWKFj0ZmMTEISOujj8hNTKYdc0Z/dx/+izqNCuLEXiJjLDIPxfRJ
+EfeYG0/4fBxdeZgIwIVVsUXX4eSzXhguuiwulNhRkUzKhH9aNrp1fw5t0hgsJOPx
+O8Y2sAtDL6KUHx+rt0ejrHYXK1+BOUCHcZiHCGmLCCQlrcX5TWDYPkhtrbtbxS6m
+p9aVxq7pcyxelVlUBXtWeYvcOHGueEd7QQL16uYbhrTHFIwx2Pw//LNIgyJTBNu7
+hxm2jica15PaALtSsYDRhsE9VkWawW9AXeBWOnEj7YKrT5ejrQLI9eCxtolRbVNd
+gSR5r7MQkPssjCU+pdsCl98e0mxVnq8eMDtZYSIDGLEyPfJNCsxDanzUuxSfBP8K
+cIDzREINA/QiuhyGxxBB8dR6k+kl1LNVy8FA7RYAe84MLW2wuaFMQirMDtTLo/Wt
+/AatxW4WKlCvfd/nC8O5xlzmF5qffhgmS8xYDL/w1G3Uxo21dA4gGipH9uw91wqi
+YaSidtcVs6JbHpUddmO5AiEiSBbbwqNgaOxNdur1WYWZHDNWvCKL9sqQy/HtDLHy
+Tzyuw8GtrpB2BKfWWwbAApqvjcqgjitEXk2Nw/L3qWfWmVStP9ys5rz27UWRhMFi
+Go/HrVh7heOxK16ei5tp2OyRLSfDBZ7+IlpbbnR26BPdBE08cuBo/ELOfifnYTTS
+V4CKLMiG7RxtdAddkFKO+GgNW1nNHppBBhJzDvuBcFuUfB+AdnymZTlA8RFha7aW
+zwtg6I1ABdMGPn+wzMhkkutDtSCWpkBRddJPcB1mwmRdp/2WC3NxuaMQX3anQG36
+9m2sxWUmT8ZLGvFDHIwGbRPT5zzcvIJV/xhZdCxhg/7tgLikBZBB8TmtDBck+wq+
+DPIEQkr4rObCi9xphSpHvPBGhdI5v8xbKEGLcPzVMW0hjaHouvQipEXC+ASrn/sG
+nytZkyt1DD8KG27wlcrDl/RDCcjNvlKkgKPme3pPsDcD+qX+eqjQ4OM9AexW+VLZ
+ZUa84/Fh6yjbuPF3vtCVRwFJURzhKMVG3Fcs7C3iczCOUNDOar9k0yCrmbACF9Wm
+kSD5lXPXe1fFq0xi21Isuz+FH4A5CR/tHc2i+avQhYs9FvaqzLiaNmLaZKrhX5uy
+dJXYtLruhgwBjv4eo6GXm8/WHFG6r4iaq6NEimQoT41MH+uJr9nAiBWg397JoHpG
+jheCZDpZBAVuEz8NUdWP7mu64DQsjKeY6okwMlXlcSUKlMnx8QCtEMTj/JF7E7dT
+bHYe30+OIWl3X88v9Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/resource-managers/yarn/src/test/resources/keystore b/resource-managers/yarn/src/test/resources/keystore
new file mode 100644
index 0000000000000000000000000000000000000000..f8310e39ba1e07c7559e5724f522c06ca47f5787
GIT binary patch
literal 2247
zcmchYc{J1uAI9f5Gt8i|P1&wBlPn{@Y0#AI+9uMFEKS|9bCt<Vma)doSW;mK$yzZL
zMhPuL63H$jWsTBxE5;02B9g9i&-=dTp40#DAI~4p=dbU1&U2pcrf^dTfk2>J0{)TM
zX}X`!>67%Z@GWAuh_Ft8Kt!M*6TS&bii+!r0&qYVDgyu_5I7UgZ~dLDFFKbbe4NJ>
z8h*OOS9N;OWepcs>OGoE=zuk2V{*wI)Z_e}>Z@^h>_v>&7v=eK%-(UR|F2)6ifSZm
zB{$HW8@=O<)XbNH;_wk=FeM$Bjfx=?s>^D9Zr#6WTzln-!DYFW$=EZVD(3K>jS96w
z-f`E>K|`eE2uJ#EUlg%5TBw+iWJz5iySD{o5{Ul(C)@&^f0t&B->D-6`JH0%@@;s@
zjMngAG004|Ao+Z!S-#o>U%j;FhYZ-6+Sr%89Pdns-=>tD<cjKLOEFw$W`Y7iJ*w@l
z{<)#9NQ_z4oL%jGClKweSk8K2b+MsshLSJE(dK>GRpP7IeZ?->$L-DANQrdWKTa;0
zluk^040v;S@5DL7!>L;M8&vwCZAjLK*vpGqYx~-VYZs+3mb>>RYt{axVJiP>$3Y|}
zz*eB_iPWr6Tc->>lU_2dn3A0UZrr!p`Ly9<<lc^`K}#n@@RG4qeTf{LV8Z^btG&_y
zGFSDwx3u{?r_3fn<t}&jk;8XJ!R)ZkpEIXW!B{Hg%&{rMhKG*OsZqs+<0IiZRN6GG
z)Nyb;BKE6D+i7*x8|9Ch?J#Ckm}fQl?Kn2O$Xu@%qn|o&?<S3kz<ULPf|rby?x3+m
zt+T<2gXj`Y$EU{DK6BrOA6(b#yk#Fn=hp28<eCIEEr<9BMg}yIy^}Wd+_oK`6?C9S
zMLt@$jA)Md@FMcW$CbhxCi!}*U)7IThxXctyouJP1Raj2m{qRMN~*EHdRbL<Hyam5
znJQ!+ZVDv|Vl@xVt+lY96y$tka9lAm!Fzh1h4jS86Kgz4X??d`rro%ME5|hK$qmU_
zYExs4G?_3|W8^}(Tf_(5wZ{fZ1u;XUZ^a&q6d&i`cIQgIo-cmbU<6pY*lQ!Rv-V#K
zb>%d%n&X#yvmACj3LY^dq?e=FaqJ!`fkB(%M!T4bA&bADq%;%h1-L)a{YF#I>*n5;
zXt7P-gtHyc-1yawv9;te^CLkar+P2}c`q>)=Cwt62se##oHtS0qXNZJW*YMjnTYe|
z1W+lZjRJ<oix>NxO-J~$3RTEpZS0TIp!w}_nOBXJ>YGGE1!<NnYgKh^XFog_VFoT$
z`_~*TpS)Ia?ZP@fM8sD2>=AA8t_d9vGYswy&Plo@H7BgF?Rr;IN}~I_OZ5AE?Xc>e
zduB^$Zl^0#&4F^xR^%KivoAj*R)05F<5T{9#!cLae!D`i$@(i5VdKPs;vD6ow-Pa0
zmfi>Du&L;*jI`*2mxHbvy2C)a@EF^M?KmG1vd1J;hO<00q<gYyWYEfRIN1|-F~%X~
z`{Hc?NwSk6swt3?GGNGyHctaA4D>{Ea0+F@!vpWZUoIem_pk7QGFApU$XWEZyP!S$
zy2#@wW_snjaE*mkb%s`~Ur~W0n&f9pXRDv9^a`mg8=d@ECh_CSHJ#du`ah#SxB9W1
z-p<Aj%6OF|2tj234Hxe$GBqPntjPDm(SFo{EAsCUG^i2vjP2B#_GaK`^H-ieT6X(x
zS%jR?E3^~1=gOsS>b!}YxjkPKt*mOLDS3IRD~MerwrgiggePgez$MStIAG30Vaz+z
znP5Kohc09y*(6S=bZ0;6*@CtY{i164xeX%S<NYU9!e#a8FkhEy+Zbu)Rd(?|<0wMj
zV+8JpKwz;T6BY?Fp<dTvPyh;rJ0Bq31W}@5x+!)kt0(}F5P^WFanf6p33G#sq7iO1
zDvcgV`!7NML=Zm_@t=sqPXzWq0;<ZRaE3S#B<#iGK)m6JEo%hgK;!?||MN9WVCTQ%
z*!mVQCLjd?nSeNy2>_5pQfMC@N!nO0wH%Xtuc`Uu_?pnpJ3cKSbR^Nesz@fkeg8K_
zTJ35i8GW{Bgm&Uy_A)8Ar>TC8<!?Hg5>0v~KUm51AD4|t?pz-*InPU(xFwfe7aK@-
z&`sYxAFsV#57|9oUhntf^%Ms6?u7Ik>%Ezi3GO{ccd<h=6x`H>$K+?Z=*8-c9HP#s
zOrXfNhRKwkI)1xzMcTvsXTrA@mGdnR9#$e8BDNj1us(Rjp^I@0JHr=J9h*keYb@4`
zEbRm4_$*5QRieRoP)JDy&5{>VVsBkDRg>0s_n`ei%|c)v!>9n^H~H}eLNotr3B^*=
z{jjq6yqK``^Vn@D41fS-8lW1evegh3Nw^$*J9JmC0%UznnvdunEUWXJm7jB#`FDt0
zo!SZ!fDlyn__i1(A!8e5JfGHGYq#O59PYAPUd^G9FA4GLhdQU@y3_KivZwp9e#sjZ
z1)6E~Py4647bJ-*g&tbSSqXlAo`|VY0-a#1EcqqpmY_MpMl0!c@gNTqd?DPoAC6{F
zX#Czw>93?(`H$;NoCL46jICSrt~xR}wNV^~dn<|;)#U(7hP$oGOzs-~AvLGK&g0zM
zw^?bP=4NGFJ3;N}QsShyk0XSs?LW@9d~Sxj?AVZ{pOtdaJ7!gP>dq$(AFE$ic(QF_
zMtzQi_+9hZzoOnZ-qFt&6a;ssvcmgs))|WiZVphZ+9n#oo9dzuTg|>3rcC)~XD4Ad
ZwPrecI^>>DS9jrYAM6Ze@sCox{su3o&c*-$

literal 0
HcmV?d00001

diff --git a/resource-managers/yarn/src/test/resources/truststore b/resource-managers/yarn/src/test/resources/truststore
new file mode 100644
index 0000000000000000000000000000000000000000..a6b1d46e1f391995553771665934518114892962
GIT binary patch
literal 957
zcmezO_TO6u1_mY|W(3omIr+(nIT`uIB|s66PaJ187+53pObsj<7?`UKnwZNCnwa7j
zFf%bSF|h<%`7Sl!W#iOp^Jx3d%gD&h%3zRVC}6<H#vIDRCd?k1mz|eio(B`*zz|`_
z5aGfQ;l>bQhKm@;iSrto7#bK@7#SNH7@I@^xuyn&24+w$on6z!sDvCGjI0dIO^o~u
z22G4yOihf849&hp=Zrag|9n~Gc#H3$vhv=@pKm=9>UvU(ZZwCjnIky!nB{NDyiMQB
zBZO<_+{laCF!_t`)YJQR{_Ib&x!G3fds+PIs-~1XLS?NdeqFL|Ki_tDnb_pb)#>@(
zTD|J;>oi2PIZoZR+nId!%3~GY`%wb7osA|uXbd}Tx=!cX%NWDQox39rO%?vMzHf?~
z=1swLR-RoC+D>nNbu4gY&$gL|-rloc_5R@2ZL8S5%Xot9o!zH-pDYd6dHL#Xw%@*+
zy&LU+nmT%>zI)Xlb76*?{++DCc`NfA&lk?~bl&)QW6#lb?w*%6eoUWUYC4NO`N6ZZ
z?8-A|%!_eU4)c+*d(ZiH(T7{hnV1<F7#AxV$Q#H4Q-~}dix`Utlj<1>hF?DgUa_CL
zx_EQkYw>r1g2;ggOjE!>WMr_A)k`{P(!x=_M=);x=K055cF6ji^!W09N=!ueTVn;U
z6EA8{^-Nzg`Ng@3($jCUF&@a<x&Ok8Qy=-<zRiwR<9N;eYUXrS8`H*o3s)JwuTz%2
zIZ)=J)^cU;)$=O3oh3;ZScFSs@?M?k?!C-^_|@*s*8Xp<sF^t*)Sls2x_VQ^>e8^o
zyyq)UdNa4Ognk!%pnCm3|2v5#(^qdW|F_DnC)CMo)7|XjC#6>R9=pT-w&U3U_Jbb|
zump?#5z4RO57rKM+MK!exniP|!?*K7M~h9*`B~JdzSntD@o>*t-I;G@<(}y1FS)RE
zvl(0Zzf0L`j^5p4uvCF<+hN<kCT)*XCQokB`M3FKhO0_L)r)TtxgK7R-&#o=x-kg=
DWo>hw

literal 0
HcmV?d00001

diff --git a/resource-managers/yarn/src/test/resources/untrusted-keystore b/resource-managers/yarn/src/test/resources/untrusted-keystore
new file mode 100644
index 0000000000000000000000000000000000000000..6015b02caa12817721fca3a83c8e58338b6d9aeb
GIT binary patch
literal 2246
zcmchYS5VUl7sc~W0)Ye-=~4xxg#Zav3<BbYq7-2TvQiAPfJ;JCiUxxasvxL<St&|0
zfK(+A5Qvn}r37$LK$=LC4og#Hm)ZHgot^Q0AI{9Zzo$EA&YXL&e6S1xfxw3X{uVFE
z&)to5-S1}LAu->8z3~KrxBxU2`W=0g8?MR?KmjE9H~?^gpj7C>T*;?*E%{fv1t#2A
zw<uTn^PFy?W0TjZ)1+so^L_N9y<xMp{xNOW6eBSu`Nw42<<ExjnGwct1$Mo7r)NCW
z4R)nH{$}D!2{>mzrvHqay1&t+Fi_Z+)w1n4H+Y%AMXJ&rSoCSXIQW|Hr+fhOC{~-z
zRlY#ibR-jPTxR#)AT!BEO?ezTUwe>&ocp&K#iX4G4x}&l;Dj))1SC+yocOHP<E%NV
zQS!hQ(?@y!J70d9$&l*}MjR)zQE@36diUMf3NIaHC(m});MI~95!cxDM*0E*OX<t8
z6+7;6EW7OOYSCSs(Fc;H(WGrNbjmdWm`aJbdz>Kcyd#4h$$Ysx{PW2wSrMAGjmd{>
zmZKc2Dyf?4ujwLhFCx*5Hx~U|Z)4cF@ukC(ds5*mRqTjW<hM2lY|#3UYbjq%tYEC}
z)6zbbR9?h@9zN6Q-isG?iyhO}t!wFup!YJS&sOz}VNvIY$<_O~lXGdki4zw$97V7z
zj{Q%wc85NiS}8+F;L-q3@`kvVd&+9S{a;Y5QCY)M@Gh>ZQ!rEzURPjf;fj^#543K+
z!ssm8re)p<nag8a&g6D@cy$#BzNfh{iNP^ENv(UhfUJOT&0nmg1)VC1X(4I`^v{92
z3k3Jp{we-T7b@8t)h{-#iZe(yQbJxh2V?THkdy2wb)z>qzo9BLWxDF++<UKQ4YM95
z#>xd2(u`*)aHlZZpG29)-s8jv^L!<=2n_lp*^DBVw#MvPDYjjU59hk-*=5ySF?<g;
zRZR}u*VtrFx^!Irb^VT6r-I}bKHRkhB>;vN-zN<FFW+8xsyms3dufmD>ZGbmhBK9h
zT^c^=AHxzXuw5SuT_j1a9=(n&J?~VzvG}qlOYj8&6PtlOG82v{Ls5creeldHDY=n}
z6NS98Hi+3%9-T{Nl<}Y`*yL)P*pyGtkkOKUx$aHwg>deSRCRDu3S_Bt*qYqP;^=vW
z>Sial$32p`22-|}%Wtf09n<D{)ynKi|CAtg`udG)&V3iph2We(0~XOCR>6kxR~g&{
z;kf$;?1pyH#legE8IIWJMw1!v9A-Bq$dIyn#d<qpt2oiTwX<Ml2{G@X8vAH<Kyt6E
zGhs*ZA|Ry0xse9hbP1E_>=DTZcOxsMZN<8A29U{XY8FE^^?*t(;Wc9KRLxuFXiP-G
z>e>s*`P%O)W#bh}MOrv+{^3tN%a_tNb9D8h>-eF{WYv1B{AL3=1%=#OJh|?KR$7@~
zM1%siVBJLAn~Pz$VnIy*@}LG*a&*qN<%mI`Z<UYf_s34HcjxuUvS;VglINe;ns&X*
z8mvnYB1(BO5c?10K%$GATJl>Qi8>jN6Bzl5(ULw7YAmA5UoEllgU<Gy!UK`5*>Du`
zAewV|((5eVYOO+`<3sL2d)BS_Mok%KAB6q1*Jc7zF$H5nC_yMo`6_U&c?)aPk4b$z
zk=~H8I#D$8!fS_4;uOVeZ*ca0M>wc+><Xl@Q5P5@@u~GWapDb+i!~YA&5a>X_;202
zht3{zS6QTZ`z}%LI2uqFW?YIRHI*33>s?|kWxkxSkI|mB{+aCe>R$D#3C_eDcm?~4
z04*s~%RJne@gR@YM1zFG)0DX;`R-ZeVAqWJ<toEi7Qfr=Gj?<*^YXvDkqfV`gVqOu
zAfad~Bm_+bU(JSq0WcU!x*ql$`Up2KGR8b+=Li5GxIkzUhX1fJA@)#iL72TS(bq4;
z_y2_F2Lk(nz<(f!9|+_hf|eFNg3-pH(Wf=FFc`G%mBUpBeK`DY{g1Dq0&@Sh<M3HP
zsK7B0nhL<dQ~&@yEJ6f8MqJ)(O0eES5lVrPMwQKeHsbiu&*NdAK&fuG+ieLjGww^X
z*5L-wN@kLApo+kS6^EOXle1^(!XoIQ6yuIk{`I&`>izOR@=|SzH@w)|jt`!(`wOVk
zU(Gc+<B#}9{Q~tL>3x6OSUy2;rv#hrK`;koo{3~F+?Lz<_V{4;1#8arvZ&0V8@AqY
z%gOfdX610i{YAs|(!9Q+SL{EgzRT#t9JFQIGR2S`6VaKXbv2cJ2H)BOR*n|BK8B>J
zu4T{_d4E~Njm&*(N{Lz*K3`qRFrPLYtX(hoRRuEpLT4<dPn48=qGo1;+DR!=`>Gjc
z7p!#ttliZeFa!Vrd9r93wA5ijq>e&GphCV$=V%&Tr1x)APN~~@unO~heb4>d#KTM-
znh1b2&I@^pv~P&tiq}$Qc2}5{Y1K+f=lfqETn=T3E>iK(`_W8&jcZK}2tO)n$}*DS
zW9s~&EeO=mYgrtHq(vr!#h3NAy`7YJ8V0q&`(N)hb2~hoF87PZRGUk~lN{xCT(jsw
z;Yp@T1SAT~KqTCb3a(cP)&1DNK4h=JduK2)s(9XTV?-4(76KO@#|t*-6s2Dl=w}?&
z`IEOv)DCjYr5eow*?MXh8OBgmy;!t>iQ6;NbaZ0pfS*It8}lB6l1(9$AdKemI=5q_
z{7jO%*zS`ZmPK|=YMq+2r-Np*`16dZu!n^|WkFZrL^nhKO<UWS!WwEQf7a-$W)tGG
VOI=$`4oZ<Jmfv_H%^$uo{ueBW-1z_i

literal 0
HcmV?d00001

diff --git a/resource-managers/yarn/src/test/scala/org/apache/spark/network/yarn/SslYarnShuffleServiceSuite.scala b/resource-managers/yarn/src/test/scala/org/apache/spark/network/yarn/SslYarnShuffleServiceSuite.scala
new file mode 100644
index 0000000000000..41a4331ab1e4f
--- /dev/null
+++ b/resource-managers/yarn/src/test/scala/org/apache/spark/network/yarn/SslYarnShuffleServiceSuite.scala
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.network.yarn
+
+import org.apache.spark.network.ssl.SslSampleConfigs
+
+class SslYarnShuffleServiceWithRocksDBBackendSuite
+  extends YarnShuffleServiceWithRocksDBBackendSuite {
+
+  /**
+   * Override to add "spark.ssl.rpc.*" configuration parameters...
+   */
+  override def beforeEach(): Unit = {
+    super.beforeEach()
+    val updatedConfigs = SslSampleConfigs.createDefaultConfigMapForRpcNamespace()
+    updatedConfigs.entrySet().forEach(entry => yarnConfig.set(entry.getKey, entry.getValue))
+  }
+}

From f0f058b9bac27123faf9e36534b1aadb204557a7 Mon Sep 17 00:00:00 2001
From: Hasnain Lakhani <hasnain.lakhani@databricks.com>
Date: Fri, 25 Aug 2023 13:52:52 -0700
Subject: [PATCH 2/3] typo

---
 .../main/java/org/apache/spark/network/ssl/SSLFactory.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java b/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
index 35ada9a57bc42..88f547de3bcab 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
@@ -462,9 +462,9 @@ private static String[] enabledCipherSuites(
       "TLS_AES_128_GCM_SHA256",
       "TLS_AES_256_GCM_SHA384",
       // Next we have the TLS1.2 ciphers for intermediate compatibility (since JDK8 does not
-      // support TLS1.2)
+      // support TLS1.3)
       "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
       "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
       "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
       "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",

From cd6810fb62287bc972279defaaaebf090bb3dfbe Mon Sep 17 00:00:00 2001
From: Hasnain Lakhani <hasnain.lakhani@databricks.com>
Date: Sun, 27 Aug 2023 20:39:08 -0700
Subject: [PATCH 3/3] follow style guide for flag

---
 .../apache/spark/network/TransportContext.java   |  2 +-
 .../org/apache/spark/network/ssl/SSLFactory.java | 14 +++++++-------
 .../apache/spark/network/util/TransportConf.java |  4 ++--
 .../src/test/java/TransportConfSuite.java        |  4 ++--
 .../spark/network/ssl/SslSampleConfigs.java      |  4 ++--
 .../main/scala/org/apache/spark/SSLOptions.scala | 16 ++++++++--------
 .../scala/org/apache/spark/SSLOptionsSuite.scala | 16 ++++++++--------
 docs/security.md                                 |  2 +-
 8 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java b/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java
index 696061c08cc20..81900270e2e01 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/TransportContext.java
@@ -270,7 +270,7 @@ private SSLFactory createSslFactory() {
             conf.sslRpcTrustStore(),
             conf.sslRpcTrustStorePassword(),
             conf.sslRpcTrustStoreReloadingEnabled(),
-            conf.sslRpcTrustStoreReloadInterval())
+            conf.sslRpctrustStoreReloadIntervalMs())
           .build();
       } else {
         if (conf.sslRpcDangerouslyFallbackIfKeysNotPresent()) {
diff --git a/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java b/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
index 88f547de3bcab..183aa3c7f2e1f 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/ssl/SSLFactory.java
@@ -91,7 +91,7 @@ private void initJdkSslContext(final Builder b)
     this.keyManagers = keyManagers(b.keyStore, b.keyStorePassword);
     this.trustManagers = trustStoreManagers(
       b.trustStore, b.trustStorePassword,
-      b.trustStoreReloadingEnabled, b.trustStoreReloadInterval
+      b.trustStoreReloadingEnabled, b.trustStoreReloadIntervalMs
     );
     this.jdkSslContext = createSSLContext(requestedProtocol, keyManagers, trustManagers);
   }
@@ -162,7 +162,7 @@ public static class Builder {
     private File trustStore;
     private String trustStorePassword;
     private boolean trustStoreReloadingEnabled;
-    private int trustStoreReloadInterval;
+    private int trustStoreReloadIntervalMs;
     private boolean openSslEnabled;
 
     /**
@@ -249,16 +249,16 @@ public Builder openSslEnabled(boolean enabled) {
      * @param trustStore
      * @param trustStorePassword
      * @param trustStoreReloadingEnabled
-     * @param trustStoreReloadInterval
+     * @param trustStoreReloadIntervalMs
      * @return
      */
     public Builder trustStore(
         File trustStore, String trustStorePassword,
-        boolean trustStoreReloadingEnabled, int trustStoreReloadInterval) {
+        boolean trustStoreReloadingEnabled, int trustStoreReloadIntervalMs) {
       this.trustStore = trustStore;
       this.trustStorePassword = trustStorePassword;
       this.trustStoreReloadingEnabled = trustStoreReloadingEnabled;
-      this.trustStoreReloadInterval = trustStoreReloadInterval;
+      this.trustStoreReloadIntervalMs = trustStoreReloadIntervalMs;
       return this;
     }
 
@@ -369,7 +369,7 @@ public X509Certificate[] getAcceptedIssuers() {
 
   private static TrustManager[] trustStoreManagers(
       File trustStore, String trustStorePassword,
-      boolean trustStoreReloadingEnabled, int trustStoreReloadInterval)
+      boolean trustStoreReloadingEnabled, int trustStoreReloadIntervalMs)
           throws IOException, GeneralSecurityException {
     if (trustStore == null || !trustStore.exists()) {
       return credulousTrustStoreManagers();
@@ -380,7 +380,7 @@ private static TrustManager[] trustStoreManagers(
 
       if (trustStoreReloadingEnabled) {
         ReloadingX509TrustManager reloading = new ReloadingX509TrustManager(
-          KeyStore.getDefaultType(), trustStore, trustStorePassword, trustStoreReloadInterval);
+          KeyStore.getDefaultType(), trustStore, trustStorePassword, trustStoreReloadIntervalMs);
         reloading.init();
         return new TrustManager[]{reloading};
       } else {
diff --git a/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java b/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java
index d4c88d2d4f920..08fb1944e8209 100644
--- a/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java
+++ b/common/network-common/src/main/java/org/apache/spark/network/util/TransportConf.java
@@ -361,8 +361,8 @@ public boolean sslRpcTrustStoreReloadingEnabled() {
   /**
    * The interval, in milliseconds, the trust-store will reload its configuration
    */
-  public int sslRpcTrustStoreReloadInterval() {
-    return conf.getInt("spark.ssl.rpc.trustStoreReloadInterval", 10000);
+  public int sslRpctrustStoreReloadIntervalMs() {
+    return conf.getInt("spark.ssl.rpc.trustStoreReloadIntervalMs", 10000);
   }
 
   /**
diff --git a/common/network-common/src/test/java/TransportConfSuite.java b/common/network-common/src/test/java/TransportConfSuite.java
index f018b2de1ce72..0eaf792adbd4c 100644
--- a/common/network-common/src/test/java/TransportConfSuite.java
+++ b/common/network-common/src/test/java/TransportConfSuite.java
@@ -85,7 +85,7 @@ public void testSslTrustStorePassword() {
   }
 
   @Test
-  public void testSslTrustStoreReloadInterval() {
-    assertEquals(10000, transportConf.sslRpcTrustStoreReloadInterval());
+  public void testSsltrustStoreReloadIntervalMs() {
+    assertEquals(10000, transportConf.sslRpctrustStoreReloadIntervalMs());
   }
 }
diff --git a/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java b/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java
index 3115c28939271..3c81b0af3186c 100644
--- a/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java
+++ b/common/network-common/src/test/java/org/apache/spark/network/ssl/SslSampleConfigs.java
@@ -65,7 +65,7 @@ public static Map<String, String> createDefaultConfigMap() {
     confMap.put("spark.ssl.enabled", "true");
     confMap.put("spark.ssl.trustStoreReloadingEnabled", "false");
     confMap.put("spark.ssl.openSslEnabled", "false");
-    confMap.put("spark.ssl.trustStoreReloadInterval", "10000");
+    confMap.put("spark.ssl.trustStoreReloadIntervalMs", "10000");
     confMap.put("spark.ssl.keyStore", SslSampleConfigs.keyStorePath);
     confMap.put("spark.ssl.keyStorePassword", "password");
     confMap.put("spark.ssl.privateKey", SslSampleConfigs.privateKeyPath);
@@ -86,7 +86,7 @@ public static Map<String, String> createDefaultConfigMapForRpcNamespace() {
     confMap.put("spark.ssl.rpc.enabled", "true");
     confMap.put("spark.ssl.rpc.trustStoreReloadingEnabled", "false");
     confMap.put("spark.ssl.rpc.openSslEnabled", "false");
-    confMap.put("spark.ssl.rpc.trustStoreReloadInterval", "10000");
+    confMap.put("spark.ssl.rpc.trustStoreReloadIntervalMs", "10000");
     confMap.put("spark.ssl.rpc.keyStore", SslSampleConfigs.keyStorePath);
     confMap.put("spark.ssl.rpc.keyStorePassword", "password");
     confMap.put("spark.ssl.rpc.privateKey", SslSampleConfigs.privateKeyPath);
diff --git a/core/src/main/scala/org/apache/spark/SSLOptions.scala b/core/src/main/scala/org/apache/spark/SSLOptions.scala
index a66065c9d65f7..acb9879bafac8 100644
--- a/core/src/main/scala/org/apache/spark/SSLOptions.scala
+++ b/core/src/main/scala/org/apache/spark/SSLOptions.scala
@@ -54,7 +54,7 @@ import org.apache.spark.network.util.MapConfigProvider
  * @param trustStoreType      the type of the trust-store
  * @param trustStoreReloadingEnabled enables or disables using a trust-store that reloads
  *                                   its configuration when the trust-store file on disk changes
- * @param trustStoreReloadInterval the interval, in milliseconds,
+ * @param trustStoreReloadIntervalMs the interval, in milliseconds,
  *                                 when the trust-store will reload its configuration
  * @param openSslEnabled      enables or disables using an OpenSSL implementation
  * (if available on host system), requires certChain and keyFile arguments
@@ -79,7 +79,7 @@ private[spark] case class SSLOptions(
     trustStorePassword: Option[String] = None,
     trustStoreType: Option[String] = None,
     trustStoreReloadingEnabled: Boolean = false,
-    trustStoreReloadInterval: Int = 10000,
+    trustStoreReloadIntervalMs: Int = 10000,
     openSslEnabled: Boolean = false,
     protocol: Option[String] = None,
     enabledAlgorithms: Set[String] = Set.empty,
@@ -168,7 +168,7 @@ private[spark] case class SSLOptions(
     confMap.put(s"$nsp.enabled", enabled.toString)
     confMap.put(s"$nsp.trustStoreReloadingEnabled", trustStoreReloadingEnabled.toString)
     confMap.put(s"$nsp.openSslEnabled", openSslEnabled.toString)
-    confMap.put(s"$nsp.trustStoreReloadInterval", trustStoreReloadInterval.toString)
+    confMap.put(s"$nsp.trustStoreReloadIntervalMs", trustStoreReloadIntervalMs.toString)
     keyStore.map(_.getAbsolutePath).foreach(confMap.put(s"$nsp.keyStore", _))
     keyStorePassword.foreach(confMap.put(s"$nsp.keyStorePassword", _))
     privateKey.map(_.getAbsolutePath).foreach(confMap.put(s"$nsp.privateKey", _))
@@ -191,7 +191,7 @@ private[spark] case class SSLOptions(
       s"keyStoreType=$keyStoreType, needClientAuth=$needClientAuth, " +
       s"certChain=$certChain, trustStore=$trustStore, " +
       s"trustStorePassword=${trustStorePassword.map(_ => "xxx")}, " +
-      s"trustStoreReloadInterval=$trustStoreReloadInterval, " +
+      s"trustStoreReloadIntervalMs=$trustStoreReloadIntervalMs, " +
       s"trustStoreReloadingEnabled=$trustStoreReloadingEnabled, openSSLEnabled=$openSslEnabled, " +
       s"protocol=$protocol, enabledAlgorithms=$enabledAlgorithms}, " +
       s"dangerouslyFallbackIfKeysNotPresent=$dangerouslyFallbackIfKeysNotPresent"
@@ -218,7 +218,7 @@ private[spark] object SSLOptions extends Logging {
    * $ - `[ns].trustStoreType` - the type of trust-store
    * $ - `[ns].trustStoreReloadingEnabled` - enables or disables using a trust-store
    * that reloads its configuration when the trust-store file on disk changes
-   * $ - `[ns].trustStoreReloadInterval` - the interval, in milliseconds, the
+   * $ - `[ns].trustStoreReloadIntervalMs` - the interval, in milliseconds, the
    * trust-store will reload its configuration
    * $ - `[ns].openSslEnabled` - enables or disables using an OpenSSL implementation
    * (if available on host system), requires certChain and keyFile arguments
@@ -301,8 +301,8 @@ private[spark] object SSLOptions extends Logging {
     val trustStoreReloadingEnabled = conf.getBoolean(s"$ns.trustStoreReloadingEnabled",
         defaultValue = defaults.exists(_.trustStoreReloadingEnabled))
 
-    val trustStoreReloadInterval = conf.getInt(s"$ns.trustStoreReloadInterval",
-      defaultValue = defaults.map(_.trustStoreReloadInterval).getOrElse(10000))
+    val trustStoreReloadIntervalMs = conf.getInt(s"$ns.trustStoreReloadIntervalMs",
+      defaultValue = defaults.map(_.trustStoreReloadIntervalMs).getOrElse(10000))
 
     val openSslEnabled = conf.getBoolean(s"$ns.openSslEnabled",
         defaultValue = defaults.exists(_.openSslEnabled))
@@ -334,7 +334,7 @@ private[spark] object SSLOptions extends Logging {
       trustStorePassword,
       trustStoreType,
       trustStoreReloadingEnabled,
-      trustStoreReloadInterval,
+      trustStoreReloadIntervalMs,
       openSslEnabled,
       protocol,
       enabledAlgorithms,
diff --git a/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala b/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala
index 1357fc8bda3c3..ee6bf071ef695 100644
--- a/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala
+++ b/core/src/test/scala/org/apache/spark/SSLOptionsSuite.scala
@@ -54,7 +54,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
     conf.set("spark.ssl.trustStoreReloadingEnabled", "false")
-    conf.set("spark.ssl.trustStoreReloadInterval", "10000")
+    conf.set("spark.ssl.trustStoreReloadIntervalMs", "10000")
     conf.set("spark.ssl.openSslEnabled", "false")
     conf.set("spark.ssl.enabledAlgorithms", algorithms.mkString(","))
     conf.set("spark.ssl.protocol", "TLSv1.2")
@@ -70,7 +70,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.keyStore.get.getAbsolutePath === keyStorePath)
     assert(opts.trustStorePassword === Some("password"))
     assert(opts.trustStoreReloadingEnabled === false)
-    assert(opts.trustStoreReloadInterval === 10000)
+    assert(opts.trustStoreReloadIntervalMs === 10000)
     assert(opts.privateKey.isDefined === true)
     assert(opts.privateKey.get.getName === "key.pem")
     assert(opts.privateKey.get.getAbsolutePath === privateKeyPath)
@@ -101,7 +101,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
     conf.set("spark.ssl.trustStoreReloadingEnabled", "false")
-    conf.set("spark.ssl.trustStoreReloadInterval", "10000")
+    conf.set("spark.ssl.trustStoreReloadIntervalMs", "10000")
     conf.set("spark.ssl.openSslEnabled", "false")
     conf.set("spark.ssl.enabledAlgorithms",
       "TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA")
@@ -128,7 +128,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.keyPassword === Some("password"))
     assert(opts.trustStorePassword === Some("password"))
     assert(opts.trustStoreReloadingEnabled === false)
-    assert(opts.trustStoreReloadInterval === 10000)
+    assert(opts.trustStoreReloadIntervalMs === 10000)
     assert(opts.openSslEnabled === false)
     assert(opts.protocol === Some("SSLv3"))
     assert(opts.enabledAlgorithms ===
@@ -155,7 +155,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
     conf.set("spark.ssl.ui.trustStoreReloadingEnabled", "true")
-    conf.set("spark.ssl.ui.trustStoreReloadInterval", "20000")
+    conf.set("spark.ssl.ui.trustStoreReloadIntervalMs", "20000")
     conf.set("spark.ssl.ui.openSslEnabled", "true")
     conf.set("spark.ssl.enabledAlgorithms",
       "TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA")
@@ -183,7 +183,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.keyStorePassword === Some("12345"))
     assert(opts.keyPassword === Some("password"))
     assert(opts.trustStoreReloadingEnabled === true)
-    assert(opts.trustStoreReloadInterval === 20000)
+    assert(opts.trustStoreReloadIntervalMs === 20000)
     assert(opts.openSslEnabled === true)
     assert(opts.protocol === Some("SSLv3"))
     assert(opts.enabledAlgorithms === Set("ABC", "DEF"))
@@ -208,7 +208,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     conf.set("spark.ssl.trustStore", trustStorePath)
     conf.set("spark.ssl.trustStorePassword", "password")
     conf.set("spark.ssl.rpc.trustStoreReloadingEnabled", "true")
-    conf.set("spark.ssl.rpc.trustStoreReloadInterval", "20000")
+    conf.set("spark.ssl.rpc.trustStoreReloadIntervalMs", "20000")
     conf.set("spark.ssl.rpc.openSslEnabled", "true")
     conf.set("spark.ssl.enabledAlgorithms",
       "TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA")
@@ -245,7 +245,7 @@ class SSLOptionsSuite extends SparkFunSuite {
     assert(opts.keyStorePassword === Some("12345"))
     assert(opts.keyPassword === Some("password"))
     assert(opts.trustStoreReloadingEnabled === true)
-    assert(opts.trustStoreReloadInterval === 20000)
+    assert(opts.trustStoreReloadIntervalMs === 20000)
     assert(opts.openSslEnabled === true)
     assert(opts.protocol === Some("SSLv3"))
     assert(opts.enabledAlgorithms === Set("ABC", "DEF"))
diff --git a/docs/security.md b/docs/security.md
index 5d273dd39a51e..3a0cbaa3a32c1 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -629,7 +629,7 @@ replaced with one of the above namespaces.
     </td>
   </tr>
   <tr>
-    <td><code>${ns}.trustStoreReloadInterval</code></td>
+    <td><code>${ns}.trustStoreReloadIntervalMs</code></td>
     <td>None</td>
     <td>
       The interval at which the trust store should be reloaded (in milliseconds).