PHOENIX-7665 Make TLS protocols and ciphersuites configurable in PQS

stoty · stoty · commit fecba5a6b3ea · 2025-10-27T12:17:41.000+01:00
diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/QueryServerProperties.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/QueryServerProperties.java
@@ -72,6 +72,10 @@ public class QueryServerProperties {
             "phoenix.queryserver.tls.truststore";
     public static final String QUERY_SERVER_TLS_TRUSTSTORE_PASSWORD =
             "phoenix.queryserver.tls.truststore.password";
+    public static final String QUERY_SERVER_TLS_ENABLED_PROTCOLS =
+            "phoenix.queryserver.tls.protocols";
+    public static final String QUERY_SERVER_TLS_ENABLED_CIPHERSUITES =
+            "phoenix.queryserver.tls.ciphersuites";
     public static final String QUERY_SERVER_JMX_JSON_ENDPOINT_DISABLED =
             "phoenix.queryserver.jmxjsonendpoint.disabled";
 
diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
@@ -297,7 +297,19 @@ private void setTlsIfNeccessary(Builder<Server> builder, Configuration conf) thr
         throw new Exception(String.format("if %s is enabled, %s must be specfified" , QueryServerProperties.QUERY_SERVER_TLS_ENABLED, QueryServerProperties.QUERY_SERVER_TLS_TRUSTSTORE));
       }
       final File tlsTruststoreFile = new File(tlsTruststore);
-      builder.withTLS(tlsKeystoreFile, tlsKeystorePassword, tlsTruststoreFile, tlsTruststorePassword, keystoreType);
+
+      final String tlsEnabledProtocolsString = getConf().get(QueryServerProperties.QUERY_SERVER_TLS_ENABLED_PROTCOLS);
+      String[] tlsEnabledProtocols = null;
+      if (tlsEnabledProtocolsString != null) {
+          tlsEnabledProtocols = tlsEnabledProtocolsString.trim().split(",");
+      }
+      final String tlsEnabledChiphersuitesString = getConf().get(QueryServerProperties.QUERY_SERVER_TLS_ENABLED_CIPHERSUITES);
+      String[] tlsEnabledChiphersuites = null;
+      if (tlsEnabledChiphersuitesString != null) {
+          tlsEnabledChiphersuites = tlsEnabledChiphersuitesString.trim().split(",");
+      }
+
+      builder.withTLS(tlsKeystoreFile, tlsKeystorePassword, tlsTruststoreFile, tlsTruststorePassword, keystoreType, tlsEnabledProtocols, tlsEnabledChiphersuites);
     }
 }
 
