From 5950f8943756c5289c4ffb0b44a88ba3df7e4ed3 Mon Sep 17 00:00:00 2001 From: Balazs Meszaros Date: Tue, 9 Jun 2026 10:47:46 +0200 Subject: [PATCH] HBASE-30212 Netty should allow every supported TLS ciphers by default Netty will allow to use every supported cipher at the client side by default, so clients can use the widest range of ciphers. --- .../apache/hadoop/hbase/io/crypto/tls/X509Util.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java index b06d4aa0d322..d6be0eed844e 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/tls/X509Util.java @@ -47,6 +47,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.apache.hbase.thirdparty.io.netty.handler.ssl.IdentityCipherSuiteFilter; import org.apache.hbase.thirdparty.io.netty.handler.ssl.OpenSsl; import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext; import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder; @@ -210,7 +211,14 @@ public static SslContext createSslContextForClient(Configuration config) sslContextBuilder.protocols(enabledProtocols); } String[] cipherSuites = getCipherSuites(config); - if (cipherSuites != null) { + if (cipherSuites == null) { + /* + * if cipher list is not explicitly defined, we use the most inclusive cipher list at the + * client side + */ + sslContextBuilder.ciphers(null, + IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS); + } else { sslContextBuilder.ciphers(Arrays.asList(cipherSuites)); }