Skip to content

RATIS-2537. Support configurable gRPC TLS provider and cipher suites#1462

Open
HTHou wants to merge 3 commits into
apache:masterfrom
HTHou:RATIS-2537-configurable-grpc-tls
Open

RATIS-2537. Support configurable gRPC TLS provider and cipher suites#1462
HTHou wants to merge 3 commits into
apache:masterfrom
HTHou:RATIS-2537-configurable-grpc-tls

Conversation

@HTHou
Copy link
Copy Markdown

@HTHou HTHou commented May 19, 2026

What changed

This patch makes gRPC TLS settings configurable through RaftProperties:

  • Netty SSL provider
  • JSSE provider name
  • enabled TLS/TLCP protocols
  • enabled cipher suites

It also allows generic JSSE providers, such as KonaSSL, to be used with Netty's JDK SslContext path and ALPN h2.

Why

Ratis currently hardcodes most gRPC TLS behavior around Netty's defaults. Deployments that need custom JSSE providers or non-default protocol/cipher suites cannot configure them without code changes.

Validation

./mvnw -pl ratis-grpc -Dtest=TestGrpcTlsConfig test
./mvnw -pl ratis-grpc checkstyle:check
./mvnw -pl ratis-grpc install -DskipTests

I also ran a local KonaSSL smoke test with TLCPv1.1, TLCP_ECC_SM4_GCM_SM3, and ALPN h2.

@HTHou HTHou marked this pull request as ready for review May 19, 2026 06:57
@HTHou HTHou force-pushed the RATIS-2537-configurable-grpc-tls branch from beff449 to f2202f1 Compare May 19, 2026 07:51
@HTHou HTHou changed the title RATIS-2537. Support configurable gRPC TLS options RATIS-2537. Support configurable gRPC TLS provider and cipher suites May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HTHou