From ff05be6f454133589193df41e27716ed0a76899d Mon Sep 17 00:00:00 2001 From: Nikhil Collooru Date: Tue, 5 Aug 2025 16:59:45 -0700 Subject: [PATCH] Explicitly set the netty SSL Provider to JDK This is copy of the PR#116 from prestodb/airlift. This code uses the FATAL_ALERT failure behavior, which is only supported by the JDK ssl provider. However, if no SSL Provider is set, it is environment dependent whether the JDK or OpenSSL provider is used. This change Explicitly sets the ssl provider to JDK. This fixes an issue where servers might fail on start up in ReferenceCountedOpenSslContext with "OpenSSL provider does not support FATAL_ALERT behavior" if they get created with OPEN_SSL as the provider. --- .../drift/transport/netty/ssl/ReloadableSslContext.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drift-transport-netty/src/main/java/com/facebook/drift/transport/netty/ssl/ReloadableSslContext.java b/drift-transport-netty/src/main/java/com/facebook/drift/transport/netty/ssl/ReloadableSslContext.java index 9510cbff3..55cc5736f 100644 --- a/drift-transport-netty/src/main/java/com/facebook/drift/transport/netty/ssl/ReloadableSslContext.java +++ b/drift-transport-netty/src/main/java/com/facebook/drift/transport/netty/ssl/ReloadableSslContext.java @@ -25,6 +25,7 @@ import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; +import io.netty.handler.ssl.SslProvider; import java.io.File; import java.io.IOException; @@ -136,6 +137,7 @@ public synchronized void reload() // it should respond with a no_application_protocol alert and fail the TLS handshake. sslContextBuilder.applicationProtocolConfig(new ApplicationProtocolConfig( Protocol.ALPN, SelectorFailureBehavior.FATAL_ALERT, SelectedListenerFailureBehavior.FATAL_ALERT, new String[] {"thrift"})); + sslContextBuilder.sslProvider(SslProvider.JDK); sslContext.set(new SslContextHolder(sslContextBuilder.build())); } }