HDDS-15152. SSL protocol config is not applied to Jetty when set to default value

[dombizita]

What changes were proposed in this pull request?

In HttpServer2.setEnabledProtocols(), the logic that applies SSL protocol restrictions to the Jetty SslContextFactory is gated behind a check that compares the resolved configuration value against SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT ("TLSv1.2").

This means that Jetty is not respecting the configuration, the condition check should be removed.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-15152

How was this patch tested?

Tested the changes manually with openssl s_client -connect commands.

[jojochuang]

need unit tests

[dombizita]

Thanks for the review @jojochuang, in the latest commit I added unit tests (non default value/default value/no config set)

[dombizita]

@octachoron could you please review it? thanks!

[yandrey321]

does it mean that you want whitelisted protocols to be removed from the blacklist? Usually exclude list overrides white list.

[jojochuang]

IIRC it is a Jetty specific semantics. Yes, exclude list takes precendece over white list.

[dombizita]

I didn't change this behaviour (it's only modified because of removing the if condition and needed to adjust them). This behaviour was ported in #10111 from HADOOP-15169 and HADOOP-19546 to Ozone's HttpServer2 fork. There is a comment in Hadoop, which explains it:

      // Jetty 9.2.4.v20141103 and above excludes certain protocols by
      // default. Remove the user enabled protocols from the exclude list,
      // and add them into the include list.

SslContextFactory in Jetty applies excludes with higher priority than includes.