Add generic SSL/TLS configuration support

external-service-impl/rest/src/main/java/org/apache/iotdb/rest/RestService.java

@@ -21,6 +21,7 @@
 import org.apache.iotdb.externalservice.api.IExternalService;
 import org.apache.iotdb.rest.i18n.RestMessages;
 import org.apache.iotdb.rest.protocol.filter.ApiOriginFilter;
+import org.apache.iotdb.rpc.RpcSslUtils;
 
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.HttpConfiguration;
@@ -46,12 +47,14 @@
 
   private static Server server;
 
   private void startSSL(
       int port,
       String keyStorePath,
       String trustStorePath,
       String keyStorePwd,
       String trustStorePwd,
+      String sslProtocol,
+      String sslProviderClass,
       int idleTime,
       boolean clientAuth) {
     server = new Server();
@@ -61,6 +64,7 @@
     httpsConfig.addCustomizer(new SecureRequestCustomizer());
 
     SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+    configureSSL(sslContextFactory, sslProtocol, sslProviderClass);
     sslContextFactory.setKeyStorePath(keyStorePath);
     sslContextFactory.setKeyStorePassword(keyStorePwd);
     if (clientAuth) {
@@ -125,6 +129,8 @@
           config.getTrustStorePath(),
           config.getKeyStorePwd(),
           config.getTrustStorePwd(),
+          config.getSslProtocol(),
+          config.getSslProviderClass(),
           config.getIdleTimeoutInSeconds(),
           config.isClientAuth());
     } else {
@@ -142,4 +148,22 @@
       server.destroy();
     }
   }
+
+  private void configureSSL(
+      SslContextFactory.Server sslContextFactory, String sslProtocol, String sslProviderClass) {
+    String protocol = trimToEmpty(sslProtocol);
+    try {
+      RpcSslUtils.ensureProvider(protocol, sslProviderClass);
+    } catch (Exception e) {
+      throw new IllegalArgumentException("Failed to initialize SSL provider for REST service", e);
+    }
+    if (!protocol.isEmpty()) {
+      sslContextFactory.setProtocol(protocol);
+      sslContextFactory.setIncludeProtocols(protocol);
+    }
+  }
+
+  private String trimToEmpty(String value) {
+    return value == null ? "" : value.trim();
+  }
 }

iotdb-client/cli/src/main/java/org/apache/iotdb/cli/AbstractCli.java

@@ -77,12 +77,18 @@
 
   static final String TRUST_STORE_PWD_ARGS = "tpw";
 
+  static final String SSL_PROTOCOL_ARGS = "ssl_protocol";
+
+  static final String SSL_PROVIDER_CLASS_ARGS = "ssl_provider_class";
+
   private static final String EXECUTE_NAME = "execute";
 
   private static final String USE_SSL = "use_ssl";
   private static final String TRUST_STORE = "trust_store";
 
   private static final String TRUST_STORE_PWD = "trust_store_pwd";
+  private static final String SSL_PROTOCOL = "ssl_protocol";
+  private static final String SSL_PROVIDER_CLASS = "ssl_provider_class";
   private static final String NULL = "null";
 
   static final int CODE_OK = 0;
@@ -132,6 +138,10 @@
   static String trustStore;
   // TODO: Make non-static
   static String trustStorePwd;
+  // TODO: Make non-static
+  static String sslProtocol;
+  // TODO: Make non-static
+  static String sslProviderClass;
 
   static String execute;
   static boolean hasExecuteSQL = false;
@@ -156,6 +166,10 @@
     keywordSet.add("-" + USE_SSL_ARGS);
     keywordSet.add("-" + TRUST_STORE_ARGS);
     keywordSet.add("-" + TRUST_STORE_PWD_ARGS);
+    keywordSet.add("-" + SSL_PROTOCOL_ARGS);
+    keywordSet.add("--" + SSL_PROTOCOL_ARGS);
+    keywordSet.add("-" + SSL_PROVIDER_CLASS_ARGS);
+    keywordSet.add("--" + SSL_PROVIDER_CLASS_ARGS);
     keywordSet.add("-" + EXECUTE_ARGS);
     keywordSet.add("-" + ISO8601_ARGS);
     keywordSet.add("-" + RPC_COMPRESS_ARGS);
@@ -214,6 +228,24 @@
             .build();
     options.addOption(useSSL);
 
+    Option sslProtocol =
+        Option.builder(SSL_PROTOCOL_ARGS)
+            .longOpt(SSL_PROTOCOL)
+            .argName(SSL_PROTOCOL)
+            .hasArg()
+            .desc("SSL protocol. (optional)")
+            .build();
+    options.addOption(sslProtocol);
+
+    Option sslProviderClass =
+        Option.builder(SSL_PROVIDER_CLASS_ARGS)
+            .longOpt(SSL_PROVIDER_CLASS)
+            .argName(SSL_PROVIDER_CLASS)
+            .hasArg()
+            .desc("JSSE provider class for SSL. (optional)")
+            .build();
+    options.addOption(sslProviderClass);
+
     Option execute =
         Option.builder(EXECUTE_ARGS)
             .argName(EXECUTE_NAME)

iotdb-client/cli/src/main/java/org/apache/iotdb/cli/Cli.java

@@ -111,6 +111,12 @@ private static void constructProperties() {
       info.setProperty("use_ssl", useSsl);
       info.setProperty("trust_store", trustStore);
       info.setProperty("trust_store_pwd", trustStorePwd);
+      if (sslProtocol != null) {
+        info.setProperty(Config.SSL_PROTOCOL, sslProtocol);
+      }
+      if (sslProviderClass != null) {
+        info.setProperty(Config.SSL_PROVIDER_CLASS, sslProviderClass);
+      }
     }
     info.setProperty("user", username);
     info.setProperty("password", password);
@@ -159,6 +165,8 @@ private static boolean parseCommandLine(
   private static void serve(CliContext ctx) {
     try {
       useSsl = commandLine.getOptionValue(USE_SSL_ARGS);
+      sslProtocol = commandLine.getOptionValue(SSL_PROTOCOL_ARGS);
+      sslProviderClass = commandLine.getOptionValue(SSL_PROVIDER_CLASS_ARGS);
       if (Boolean.parseBoolean(useSsl)) {
         trustStore = ctx.getLineReader().readLine("please input your trust_store:", '\0');
         trustStorePwd = ctx.getLineReader().readLine("please input your trust_store_pwd:", '\0');

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/common/Constants.java

@@ -68,6 +68,14 @@ public class Constants {
   public static final String TRUST_STORE_PWD_NAME = "trust_store_password";
   public static final String TRUST_STORE_PWD_DESC = "Trust store password. (optional)";
 
+  public static final String SSL_PROTOCOL_ARGS = "ssl_protocol";
+  public static final String SSL_PROTOCOL_NAME = "ssl_protocol";
+  public static final String SSL_PROTOCOL_DESC = "SSL protocol. (optional)";
+
+  public static final String SSL_PROVIDER_CLASS_ARGS = "ssl_provider_class";
+  public static final String SSL_PROVIDER_CLASS_NAME = "ssl_provider_class";
+  public static final String SSL_PROVIDER_CLASS_DESC = "JSSE provider class for SSL. (optional)";
+
   public static final String FILE_TYPE_ARGS = "ft";
   public static final String FILE_TYPE_NAME = "file_type";
   public static final String FILE_TYPE_ARGS_NAME = "format";

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/common/OptionsUtil.java

@@ -133,6 +133,26 @@ public static Options createCommonOptions(Options options) {
             .build();
     options.addOption(opTrustStorePwd);
 
+    Option opSslProtocol =
+        Option.builder(SSL_PROTOCOL_ARGS)
+            .longOpt(SSL_PROTOCOL_NAME)
+            .optionalArg(true)
+            .argName(SSL_PROTOCOL_NAME)
+            .hasArg()
+            .desc(SSL_PROTOCOL_DESC)
+            .build();
+    options.addOption(opSslProtocol);
+
+    Option opSslProviderClass =
+        Option.builder(SSL_PROVIDER_CLASS_ARGS)
+            .longOpt(SSL_PROVIDER_CLASS_NAME)
+            .optionalArg(true)
+            .argName(SSL_PROVIDER_CLASS_NAME)
+            .hasArg()
+            .desc(SSL_PROVIDER_CLASS_DESC)
+            .build();
+    options.addOption(opSslProviderClass);
+
     return options;
   }
 

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/AbstractDataTool.java

@@ -34,6 +34,9 @@
 import org.apache.iotdb.rpc.IoTDBConnectionException;
 import org.apache.iotdb.rpc.StatementExecutionException;
 import org.apache.iotdb.session.Session;
+import org.apache.iotdb.session.TableSessionBuilder;
+import org.apache.iotdb.session.pool.SessionPool;
+import org.apache.iotdb.session.pool.TableSessionPoolBuilder;
 import org.apache.iotdb.tool.common.Constants;
 import org.apache.iotdb.tool.common.ImportTsFileOperation;
 
@@ -94,6 +97,8 @@ public abstract class AbstractDataTool {
   protected static Boolean useSsl;
   protected static String trustStore;
   protected static String trustStorePwd;
+  protected static String sslProtocol;
+  protected static String sslProviderClass;
   protected static Boolean aligned;
   protected static String database;
   protected static String startTime;
@@ -134,6 +139,50 @@ public abstract class AbstractDataTool {
 
   protected AbstractDataTool() {}
 
+  protected static Session.Builder configureSsl(Session.Builder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
+  protected static SessionPool.Builder configureSsl(SessionPool.Builder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
+  protected static TableSessionBuilder configureSsl(TableSessionBuilder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
+  protected static TableSessionPoolBuilder configureSsl(TableSessionPoolBuilder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
   protected static String checkRequiredArg(
       String arg, String name, CommandLine commandLine, String defaultValue)
       throws ArgsErrorException {
@@ -170,6 +219,8 @@ protected static void parseBasicParams(CommandLine commandLine)
     String useSslStr = commandLine.getOptionValue(Constants.USE_SSL_ARGS);
     useSsl = Boolean.parseBoolean(useSslStr);
     if (useSsl) {
+      sslProtocol = commandLine.getOptionValue(Constants.SSL_PROTOCOL_ARGS);
+      sslProviderClass = commandLine.getOptionValue(Constants.SSL_PROVIDER_CLASS_ARGS);
       String givenTS = commandLine.getOptionValue(Constants.TRUST_STORE_ARGS);
       if (givenTS != null) {
         trustStore = givenTS;

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ExportDataTable.java

@@ -71,8 +71,7 @@ public void init() throws IoTDBConnectionException, StatementExecutionException
             .database(database)
             .thriftMaxFrameSize(rpcMaxFrameSize);
     if (useSsl) {
-      tableSessionBuilder =
-          tableSessionBuilder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+      tableSessionBuilder = configureSsl(tableSessionBuilder);
     }
     tableSession = tableSessionBuilder.build();
     SessionDataSet sessionDataSet = tableSession.executeQueryStatement("show databases", timeout);

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ExportDataTree.java

@@ -80,8 +80,7 @@ public void init() throws IoTDBConnectionException, StatementExecutionException,
             .enableRedirection(SessionConfig.DEFAULT_REDIRECTION_MODE)
             .version(SessionConfig.DEFAULT_VERSION);
     if (useSsl) {
-      sessionBuilder =
-          sessionBuilder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+      sessionBuilder = configureSsl(sessionBuilder);
     }
     session = sessionBuilder.build();
     session.open(false);

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ImportDataTable.java

@@ -88,8 +88,7 @@ public void init() throws InterruptedException {
             .enableAutoFetch(false)
             .database(database);
     if (useSsl) {
-      tableSessionPoolBuilder =
-          tableSessionPoolBuilder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+      tableSessionPoolBuilder = configureSsl(tableSessionPoolBuilder);
     }
     sessionPool = tableSessionPoolBuilder.build();
     final File file = new File(targetPath);

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ImportDataTree.java

@@ -72,8 +72,7 @@ public void init()
             .enableRedirection(false)
             .enableAutoFetch(false);
     if (useSsl) {
-      sessionPoolBuilder =
-          sessionPoolBuilder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+      sessionPoolBuilder = configureSsl(sessionPoolBuilder);
     }
     sessionPool = sessionPoolBuilder.build();
     sessionPool.setEnableQueryRedirection(false);

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/AbstractSchemaTool.java

@@ -25,6 +25,8 @@
 import org.apache.iotdb.cli.utils.JlineUtils;
 import org.apache.iotdb.exception.ArgsErrorException;
 import org.apache.iotdb.session.Session;
+import org.apache.iotdb.session.pool.SessionPool;
+import org.apache.iotdb.session.pool.TableSessionPoolBuilder;
 import org.apache.iotdb.tool.common.Constants;
 
 import org.apache.commons.cli.CommandLine;
@@ -53,6 +55,8 @@ public abstract class AbstractSchemaTool {
   protected static Boolean useSsl;
   protected static String trustStore;
   protected static String trustStorePwd;
+  protected static String sslProtocol;
+  protected static String sslProviderClass;
   protected static Session session;
   protected static String queryPath;
   protected static int threadNum = 8;
@@ -73,6 +77,39 @@ public abstract class AbstractSchemaTool {
 
   protected AbstractSchemaTool() {}
 
+  protected static Session.Builder configureSsl(Session.Builder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
+  protected static SessionPool.Builder configureSsl(SessionPool.Builder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
+  protected static TableSessionPoolBuilder configureSsl(TableSessionPoolBuilder builder) {
+    builder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+    if (sslProtocol != null) {
+      builder.sslProtocol(sslProtocol);
+    }
+    if (sslProviderClass != null) {
+      builder.sslProviderClass(sslProviderClass);
+    }
+    return builder;
+  }
+
   protected static String checkRequiredArg(
       String arg, String name, CommandLine commandLine, String defaultValue)
       throws ArgsErrorException {
@@ -107,6 +144,8 @@ protected static void parseBasicParams(CommandLine commandLine)
     String useSslStr = commandLine.getOptionValue(Constants.USE_SSL_ARGS);
     useSsl = Boolean.parseBoolean(useSslStr);
     if (useSsl) {
+      sslProtocol = commandLine.getOptionValue(Constants.SSL_PROTOCOL_ARGS);
+      sslProviderClass = commandLine.getOptionValue(Constants.SSL_PROVIDER_CLASS_ARGS);
       String givenTS = commandLine.getOptionValue(Constants.TRUST_STORE_ARGS);
       if (givenTS != null) {
         trustStore = givenTS;

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTable.java

@@ -64,8 +64,7 @@ public void init() throws InterruptedException {
             .enableAutoFetch(false)
             .database(database);
     if (useSsl) {
-      tableSessionPoolBuilder =
-          tableSessionPoolBuilder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+      tableSessionPoolBuilder = configureSsl(tableSessionPoolBuilder);
     }
     sessionPool = tableSessionPoolBuilder.build();
     checkDatabase();

iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTree.java

@@ -51,8 +51,7 @@ public void init()
             .username(username)
             .password(password);
     if (useSsl) {
-      sessionBuilder =
-          sessionBuilder.useSSL(true).trustStore(trustStore).trustStorePwd(trustStorePwd);
+      sessionBuilder = configureSsl(sessionBuilder);
     }
     session = sessionBuilder.build();
     session.open(false);