HBASE-29444 Default to JRE default TLS protcol list (#7142)

stoty · web-flow · commit bdefd1e12491 · 2025-07-28T08:48:00.000+02:00
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java
@@ -87,7 +87,6 @@ public final class X509Util {
   public static final String TLS_CIPHER_SUITES = CONFIG_PREFIX + "ciphersuites";
   public static final String TLS_CERT_RELOAD = CONFIG_PREFIX + "certReload";
   public static final String TLS_USE_OPENSSL = CONFIG_PREFIX + "useOpenSsl";
-  public static final String DEFAULT_PROTOCOL = "TLSv1.2";
 
   //
   // Server-side specific configs
@@ -206,7 +205,10 @@ public static SslContext createSslContextForClient(Configuration config)
     }
 
     sslContextBuilder.enableOcsp(sslOcspEnabled);
-    sslContextBuilder.protocols(getEnabledProtocols(config));
+    String[] enabledProtocols = getEnabledProtocols(config);
+    if (enabledProtocols != null) {
+      sslContextBuilder.protocols(enabledProtocols);
+    }
     String[] cipherSuites = getCipherSuites(config);
     if (cipherSuites != null) {
       sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
@@ -276,7 +278,10 @@ public static SslContext createSslContextForServer(Configuration config)
     }
 
     sslContextBuilder.enableOcsp(sslOcspEnabled);
-    sslContextBuilder.protocols(getEnabledProtocols(config));
+    String[] enabledProtocols = getEnabledProtocols(config);
+    if (enabledProtocols != null) {
+      sslContextBuilder.protocols(enabledProtocols);
+    }
     String[] cipherSuites = getCipherSuites(config);
     if (cipherSuites != null) {
       sslContextBuilder.ciphers(Arrays.asList(cipherSuites));
@@ -391,9 +396,13 @@ static X509TrustManager createTrustManager(String trustStoreLocation, char[] tru
   private static String[] getEnabledProtocols(Configuration config) {
     String enabledProtocolsInput = config.get(TLS_ENABLED_PROTOCOLS);
     if (enabledProtocolsInput == null) {
-      return new String[] { config.get(TLS_CONFIG_PROTOCOL, DEFAULT_PROTOCOL) };
+      enabledProtocolsInput = config.get(TLS_CONFIG_PROTOCOL);
+    }
+    if (enabledProtocolsInput != null) {
+      return enabledProtocolsInput.split(",");
+    } else {
+      return null;
     }
-    return enabledProtocolsInput.split(",");
   }
 
   private static String[] getCipherSuites(Configuration config) {
diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/TestX509Util.java
@@ -96,7 +96,16 @@ public void testCreateSSLContextWithClientAuthNONE() throws Exception {
   public void testCreateSSLContextWithoutCustomProtocol() throws Exception {
     SslContext sslContext = X509Util.createSslContextForClient(conf);
     ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
-    assertArrayEquals(new String[] { X509Util.DEFAULT_PROTOCOL },
+    assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2" },
+      sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols());
+  }
+
+  @Test
+  public void testCreateTcNativeSSLContextWithoutCustomProtocol() throws Exception {
+    conf.set(X509Util.TLS_USE_OPENSSL, "true");
+    SslContext sslContext = X509Util.createSslContextForClient(conf);
+    ByteBufAllocator byteBufAllocatorMock = mock(ByteBufAllocator.class);
+    assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2" },
       sslContext.newEngine(byteBufAllocatorMock).getEnabledProtocols());
   }
 
