HDDS-10819. Respect ssl.server.include.cipher.list and ssl.enabled.protocols in HttpServer2 (#10111)

Generated-by: Claude - Opus 4.6

Author: fapifta

hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneConfigKeys.java

@@ -557,6 +557,7 @@ public final class OzoneConfigKeys {
       "ozone.http.policy";
   public static final String OZONE_HTTP_POLICY_DEFAULT =
       HttpConfig.Policy.HTTP_ONLY.name();
+  public static final String  OZONE_SSL_ENABLED_PROTOCOLS = "ozone.ssl.enabled.protocols";
   public static final String  OZONE_SERVER_HTTPS_KEYSTORE_RESOURCE_KEY =
       "ozone.https.server.keystore.resource";
   public static final String  OZONE_SERVER_HTTPS_KEYSTORE_RESOURCE_DEFAULT =

hadoop-hdds/common/src/main/resources/ozone-default.xml

@@ -3747,6 +3747,15 @@
     <description>Keystore key password for HTTPS SSL configuration
     </description>
   </property>
+  <property>
+    <name>ozone.ssl.enabled.protocols</name>
+    <tag>OZONE,SECURITY,CRYPTO_COMPLIANCE</tag>
+    <value/>
+    <description>
+      The supported SSL protocols used to restrict connections towards the WebUI of different components,
+      and the S3 GateWay.
+    </description>
+  </property>
   <property>
     <name>ssl.server.keystore.location</name>
     <tag>OZONE, SECURITY, MANAGEMENT</tag>

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/BaseHttpServer.java

@@ -56,6 +56,7 @@
 import org.apache.hadoop.ozone.OzoneSecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
+import org.apache.hadoop.security.ssl.SSLFactory;
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -370,23 +371,28 @@ public void updateConnectorAddress() {
     }
   }
 
-  public static HttpServer2.Builder loadSslConfToHttpServerBuilder(
-      HttpServer2.Builder builder, ConfigurationSource sslConf) {
-    return builder
+  public static void loadSslConfToHttpServerBuilder(HttpServer2.Builder builder, ConfigurationSource sslConf) {
+    builder
         .needsClientAuth(
             sslConf.getBoolean(OZONE_CLIENT_HTTPS_NEED_AUTH_KEY,
                 OZONE_CLIENT_HTTPS_NEED_AUTH_DEFAULT))
         .keyPassword(getPassword(sslConf, OZONE_SERVER_HTTPS_KEYPASSWORD_KEY))
-        .keyStore(sslConf.get("ssl.server.keystore.location"),
+        .keyStore(
+            sslConf.get(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION),
             getPassword(sslConf, OZONE_SERVER_HTTPS_KEYSTORE_PASSWORD_KEY),
-            sslConf.get(HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE,
-                HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE_DEFAULT))
-        .trustStore(sslConf.get("ssl.server.truststore.location"),
+            sslConf.get(
+                HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE,
+                HddsConfigKeys.HDDS_HTTP_SERVER_KEYSTORE_TYPE_DEFAULT)
+        )
+        .trustStore(
+            sslConf.get(SSLFactory.SSL_SERVER_TRUSTSTORE_LOCATION),
             getPassword(sslConf, OZONE_SERVER_HTTPS_TRUSTSTORE_PASSWORD_KEY),
-            sslConf.get(HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE,
-                HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE_DEFAULT))
-        .excludeCiphers(
-            sslConf.get("ssl.server.exclude.cipher.list"));
+            sslConf.get(
+                HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE,
+                HddsConfigKeys.HDDS_HTTP_SERVER_TRUSTSTORE_TYPE_DEFAULT)
+        )
+        .includeCiphers(sslConf.get(SSLFactory.SSL_SERVER_INCLUDE_CIPHER_LIST))
+        .excludeCiphers(sslConf.get(SSLFactory.SSL_SERVER_EXCLUDE_CIPHER_LIST));
   }
 
   /**

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/HttpServer2.java

@@ -39,6 +39,7 @@
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -250,6 +251,7 @@ public static class Builder {
     private String authFilterConfigurationPrefix =
         "hadoop.http.authentication.";
     private String excludeCiphers;
+    private String includeCiphers;
 
     private boolean xFrameEnabled;
     private XFrameOption xFrameOption = XFrameOption.SAMEORIGIN;
@@ -377,6 +379,11 @@ public Builder excludeCiphers(String pExcludeCiphers) {
       return this;
     }
 
+    public Builder includeCiphers(String pIncludeCiphers) {
+      this.includeCiphers = pIncludeCiphers;
+      return this;
+    }
+
     /**
      * Adds the ability to control X_FRAME_OPTIONS on HttpServer2.
      * @param enabled - True enables X_FRAME_OPTIONS false disables it.
@@ -448,6 +455,7 @@ private void loadSSLConfiguration() throws IOException {
       trustStoreType = sslConf.get(SSLFactory.SSL_SERVER_TRUSTSTORE_TYPE,
           SSLFactory.SSL_SERVER_TRUSTSTORE_TYPE_DEFAULT);
       excludeCiphers = sslConf.get(SSLFactory.SSL_SERVER_EXCLUDE_CIPHER_LIST);
+      includeCiphers = sslConf.get(SSLFactory.SSL_SERVER_INCLUDE_CIPHER_LIST);
     }
 
     public Builder withoutDefaultApps() {
@@ -565,17 +573,42 @@ private ServerConnector createHttpsChannelConnector(
           sslContextFactory.setTrustStorePassword(trustStorePassword);
         }
       }
-      if (null != excludeCiphers && !excludeCiphers.isEmpty()) {
+      if (excludeCiphers != null && !excludeCiphers.isEmpty()) {
         sslContextFactory.setExcludeCipherSuites(
             StringUtils.getTrimmedStrings(excludeCiphers));
         LOG.info("Excluded Cipher List: {}", excludeCiphers);
       }
 
+      if (includeCiphers != null && !includeCiphers.isEmpty()) {
+        sslContextFactory.setIncludeCipherSuites(
+            StringUtils.getTrimmedStrings(includeCiphers));
+        LOG.info("Included Cipher List: {}", includeCiphers);
+      }
+
+      setEnabledProtocols(sslContextFactory);
+
       conn.addFirstConnectionFactory(new SslConnectionFactory(sslContextFactory,
           HttpVersion.HTTP_1_1.asString()));
 
       return conn;
     }
+
+    private void setEnabledProtocols(SslContextFactory sslContextFactory) {
+      String enabledProtocols = conf.get(OzoneConfigKeys.OZONE_SSL_ENABLED_PROTOCOLS,
+          conf.get(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY, SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT));
+      if (!enabledProtocols.equals(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)) {
+        List<String> originalExcludedProtocols = Arrays.asList(sslContextFactory.getExcludeProtocols());
+        String[] enabledProtocolsArray = StringUtils.getTrimmedStrings(enabledProtocols);
+
+        List<String> finalExcludedProtocols = new ArrayList<>(originalExcludedProtocols);
+        finalExcludedProtocols.removeAll(Arrays.asList(enabledProtocolsArray));
+
+        sslContextFactory.setExcludeProtocols(finalExcludedProtocols.toArray(new String[0]));
+        LOG.info("Disabled protocols: {}", finalExcludedProtocols);
+        sslContextFactory.setIncludeProtocols(enabledProtocolsArray);
+        LOG.info("Enabled protocols: {}", enabledProtocols);
+      }
+    }
   }
 
   private HttpServer2(final Builder b) throws IOException {