Move cipher note from kerb to tls page#10579
Conversation
Ordinant
force-pushed
the
bw/mvcipher
branch
4 times, most recently
from
c84f02d to
f24b10b
Compare
Ordinant
force-pushed
the
bw/mvcipher
branch
2 times, most recently
from
b15140a to
ff11970
Compare
|
Dain approved! Who's going to merge this in, please? |
hashhar
left a comment
hashhar
left a comment
There was a problem hiding this comment.
LGTM since this is a lift-and-shift.
Left some comments since this could use much work - for someone unfamiliar with TLS configs there is some "not to the point" talk + some contradictions.
|
|
||
| .. _tls-version-and-ciphers: | ||
|
|
||
| Supported standards |
There was a problem hiding this comment.
Very weird title IMO.
"Supported TLS versions and Cipher suites" is more factual and actually conveys information.
| echo "java.util.Arrays.asList(((javax.net.ssl.SSLServerSocketFactory) \ | ||
| javax.net.ssl.SSLServerSocketFactory.getDefault()).getSupportedCipherSuites()).stream().forEach(System.out::println)" | jshell - | ||
|
|
||
| The default Trino server specifies a set of regular expressions that exclude |
There was a problem hiding this comment.
| The default Trino server specifies a set of regular expressions that exclude | |
| By default Trino is configured to exclude |
There was a problem hiding this comment.
The configs don't use regex at all. It's just a list.
| using TLS 1.2 and TLS 1.3 certificates. The server rejects TLS 1.1, TLS 1.0, and | ||
| all SSL format certificates. | ||
|
|
||
| The Trino server does not specify a set of supported ciphers, instead deferring |
There was a problem hiding this comment.
This statement and the next paragraph are conflicting. Either Trino can exclude and include ciphers or it cannot.
| to the defaults set by the JVM version in use. The documentation for Java 11 | ||
| lists its `supported cipher suites |
There was a problem hiding this comment.
Since we talk vendors we should be extra clear when referring to examples here.
| to the defaults set by the JVM version in use. The documentation for Java 11 | |
| lists its `supported cipher suites | |
| to the defaults set by the JVM version in use. For example Oracle JDK 11 | |
| lists its `supported cipher suites |
| Run the following two-line code on the same JVM from the same vendor as | ||
| configured on the coordinator to determine that JVM's default cipher list. |
There was a problem hiding this comment.
| Run the following two-line code on the same JVM from the same vendor as | |
| configured on the coordinator to determine that JVM's default cipher list. | |
| Run the following code on the same JVM as used by | |
| the coordinator to determine that JVM's default cipher list. |
| older cipher suites that do not support forward secrecy (FS). | ||
|
|
||
| Use the ``http-server.https.included-cipher`` property to specify a | ||
| comma-separated list of ciphers in preferred use order. If one of your preferred |
There was a problem hiding this comment.
| comma-separated list of ciphers in preferred use order. If one of your preferred | |
| comma-separated list of ciphers in order of preferred use. If one of your preferred |
|
|
||
| .. note:: | ||
|
|
||
| If you manage the coordinator's direct TLS implementatation, monitor the CPU |
There was a problem hiding this comment.
What a "direct TLS implementation"?
|
|
||
| If you manage the coordinator's direct TLS implementatation, monitor the CPU | ||
| usage on the Trino coordinator after enabling HTTPS. Java prefers the more | ||
| CPU-intensive cipher suites, if you allow it to choose from a big list of |
| usage on the Trino coordinator after enabling HTTPS. Java prefers the more | ||
| CPU-intensive cipher suites, if you allow it to choose from a big list of | ||
| ciphers. If the CPU usage is unacceptably high after enabling HTTPS, you can | ||
| configure Java to use specific cipher suites as described in this section. |
There was a problem hiding this comment.
Can be read to mean to verbatim set the config shared above which I don't beleive is what we intend to mean here.
| However, best practice is to instead use an external load balancer, as | ||
| discussed next. |
There was a problem hiding this comment.
| However, best practice is to instead use an external load balancer, as | |
| discussed next. | |
| However, best practice is to terminate TLS at a load balancer instead as | |
| discussed next. |
|
@jhlodin Can you kindly create an issue so that we remember to follow up on this? |
5 participants
No description provided.