trinodb · hashhar · Feb 1, 2022 · Jan 12, 2022 · hashhar · Feb 1, 2022
diff --git a/docs/src/main/sphinx/security/kerberos.rst b/docs/src/main/sphinx/security/kerberos.rst
@@ -128,25 +128,8 @@ Property                                                  Description
                                                           operation and usage of valid DNS host names.
 ========================================================= ======================================================
 
-.. note::
-
-    Monitor the CPU usage on the Trino coordinator after enabling HTTPS. Java
-    prefers the more CPU-intensive cipher suites, if you allow it to choose from
-    a big list. If the CPU usage is unacceptably high after enabling HTTPS,
-    you can configure Java to use specific cipher suites by setting
-    the ``http-server.https.included-cipher`` property to only allow
-    cheap ciphers. Non forward secrecy (FS) ciphers are disabled by default.
-    As a result, if you want to choose non FS ciphers, you need to set the
-    ``http-server.https.excluded-cipher`` property to an empty list in order to
-    override the default exclusions.
-
-    .. code-block:: text
-
-        http-server.https.included-cipher=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256
-        http-server.https.excluded-cipher=
-
-    The Java documentation lists the `supported cipher suites
-    <https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2__SUNJSSE_CIPHER_SUITES>`_.
+See :ref:`Standards supported <tls-version-and-ciphers>` for a discussion of the
+supported TLS versions and cipher suites.
 
 access-controls.properties
 ^^^^^^^^^^^^^^^^^^^^^^^^^^

diff --git a/docs/src/main/sphinx/security/tls.rst b/docs/src/main/sphinx/security/tls.rst
@@ -12,17 +12,68 @@ This topic describes how to configure your Trino server to use :ref:`TLS
 All authentication technologies supported by Trino require configuring TLS as
 the foundational layer.
 
-When configured to use TLS, a Trino server responds to client connections using
-TLS 1.2 and TLS 1.3 certificates. The server rejects TLS 1.1, TLS 1.0, and all
-SSL format certificates.
-
 .. important::
 
     This page discusses only how to prepare the Trino server for secure client
     connections from outside of the Trino cluster to its coordinator.
 
 See the :doc:`Glossary </appendix/glossary>` to clarify unfamiliar terms.
 
+.. _tls-version-and-ciphers:
+
+Supported standards
+-------------------
+
+When configured to use TLS, the Trino server responds to client connections
+using TLS 1.2 and TLS 1.3 certificates. The server rejects TLS 1.1, TLS 1.0, and
+all SSL format certificates.
+
+The Trino server does not specify a set of supported ciphers, instead deferring
+to the defaults set by the JVM version in use. The documentation for Java 11
+lists its `supported cipher suites
-to the defaults set by the JVM version in use. The documentation for Java 11
-lists its `supported cipher suites
+to the defaults set by the JVM version in use. For example Oracle JDK 11
+lists its `supported cipher suites
-to the defaults set by the JVM version in use. The documentation for Java 11
-lists its `supported cipher suites
+to the defaults set by the JVM version in use. For example Oracle JDK 11
+lists its `supported cipher suites
+<https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2__SUNJSSE_CIPHER_SUITES>`_.
+
+Run the following two-line code on the same JVM from the same vendor as
+configured on the coordinator to determine that JVM's default cipher list.
-Run the following two-line code on the same JVM from the same vendor as
-configured on the coordinator to determine that JVM's default cipher list.
+Run the following code on the same JVM as used by
+the coordinator to determine that JVM's default cipher list.
-Run the following two-line code on the same JVM from the same vendor as
-configured on the coordinator to determine that JVM's default cipher list.
+Run the following code on the same JVM as used by
+the coordinator to determine that JVM's default cipher list.
+
+.. code-block:: shell
+
+  echo "java.util.Arrays.asList(((javax.net.ssl.SSLServerSocketFactory) \
+  javax.net.ssl.SSLServerSocketFactory.getDefault()).getSupportedCipherSuites()).stream().forEach(System.out::println)" | jshell -
+
+The default Trino server specifies a set of regular expressions that exclude
-The default Trino server specifies a set of regular expressions that exclude
+By default Trino is configured to exclude
-The default Trino server specifies a set of regular expressions that exclude
+By default Trino is configured to exclude
+older cipher suites that do not support forward secrecy (FS).
+
+Use the ``http-server.https.included-cipher`` property to specify a
+comma-separated list of ciphers in preferred use order. If one of your preferred
-comma-separated list of ciphers in preferred use order. If one of your preferred
+comma-separated list of ciphers in order of preferred use. If one of your preferred
-comma-separated list of ciphers in preferred use order. If one of your preferred
+comma-separated list of ciphers in order of preferred use. If one of your preferred
+selections is a non-FS cipher, you must also set the
+``http-server.https.excluded-cipher`` property to an empty list to override the
+default exclusions. For example:
+
+.. code-block:: text
+
+   http-server.https.included-cipher=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256
+   http-server.https.excluded-cipher=
+
+Specifying a different cipher suite is a complex issue that should only be
+considered in conjunction with your organization's security managers. Using a
+different suite may require downloading and installing a different SunJCE
+implementation package. Some locales may have export restrictions on cipher
+suites. See the discussion in Java documentation that begins with `Customizing
+the Encryption Algorithm Providers
+<https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-316FB978-7588-442E-B829-B4973DB3B584>`_.
+
+.. note::
+
+    If you manage the coordinator's direct TLS implementatation, monitor the CPU
+    usage on the Trino coordinator after enabling HTTPS. Java prefers the more
+    CPU-intensive cipher suites, if you allow it to choose from a big list of
+    ciphers. If the CPU usage is unacceptably high after enabling HTTPS, you can
+    configure Java to use specific cipher suites as described in this section.
+
+    However, best practice is to instead use an external load balancer, as
+    discussed next.
-    However, best practice is to instead use an external load balancer, as
-    discussed next.
+    However, best practice is to terminate TLS at a load balancer instead as
+    discussed next.
-    However, best practice is to instead use an external load balancer, as
-    discussed next.
+    However, best practice is to terminate TLS at a load balancer instead as
+    discussed next.
+
 Approaches
 ----------