Details
-
Bug
-
Status: Accepted
-
Minor
-
Resolution: Unresolved
-
1.21.1
-
None
-
None
Description
The update of Jetty dependency to version 9.4 (DRILL-7135) has led to Drill no longer supporting a TLS server certificate with multiple Subject Alternate Name (SAN) values.
If you try to use a keystore containing a single cert with multiple SANs, you get the following error on startup of the Drillbit:
[main] ERROR o.apache.drill.exec.server.Drillbit - Failure during initial startup of Drillbit.
java.lang.illegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.SslContextFactory$Client instead)
It appears that Jetty version 9.4 has deprecated the org.eclipse.jetty.util.ssl.SslContextFactory class, and Drill should now use the org.eclipse.jetty.util.ssl.SslContextFactory.Server class instead.
I was unable to find a Drill configuration file to change which class is used (eg an instance of jetty-ssl.xml), and it looks like the specific SslContextFactory class is hardcoded in org.apache.drill.exec.server.rest.ssl.SslContextFactoryConfigurator:
public SslContextFactory configureNewSslContextFactory() throws Exception { SSLConfig sslConf = new SSLConfigBuilder() .config(config) .mode(SSLConfig.Mode.SERVER) .initializeSSLContext(false) .validateKeyStore(true) .build(); final SslContextFactory sslContextFactory = new SslContextFactory(); if (sslConf.isSslValid()) { useOptionsConfiguredByUser(sslContextFactory, sslConf); } else { useAutoGeneratedSelfSignedCertificate(sslContextFactory); } return sslContextFactory; }
Relevant links for other products affected by the same issue:
Attachments
Issue Links
- is related to
-
DRILL-8452 Library upgrades
-
- Closed
-