gavinchou commented on code in PR #367:
URL: https://github.com/apache/doris-thirdparty/pull/367#discussion_r2490410481
##########
src/main/java/com/sleepycat/je/rep/utilint/net/SSLChannelFactory.java:
##########
@@ -248,6 +248,55 @@ public DataChannel connect(InetSocketAddress addr,
socketChannel, engine, host, sslHostVerifier, null, logger);
}
+ /**
+ * Configure client authentication mode for the SSLEngine based on the
+ * SSL_CLIENT_AUTH_MODE configuration parameter.
+ *
+ * @param engine the SSLEngine to configure
+ */
+ private void configureClientAuth(SSLEngine engine) {
+ if (instanceParams == null) {
+ // Fallback to legacy behavior if no instance params
+ if (sslAuthenticator != null) {
+ engine.setWantClientAuth(true);
+ }
+ return;
+ }
+
+ final ReplicationSSLConfig config =
+ (ReplicationSSLConfig)
instanceParams.getContext().getRepNetConfig();
+ final String clientAuthMode = config.getSSLClientAuthMode();
+
+ if (clientAuthMode == null || clientAuthMode.isEmpty()) {
+ // Default behavior: request client auth if authenticator is
present
+ if (sslAuthenticator != null) {
+ engine.setWantClientAuth(true);
+ }
+ return;
+ }
+
+ if ("verify_none".equals(clientAuthMode)) {
+ // Don't request client certificates at all (TLS without client
auth)
+ engine.setWantClientAuth(false);
+ engine.setNeedClientAuth(false);
+ } else if ("verify_peer".equals(clientAuthMode)) {
+ // Request client certificates but don't require them (standard
TLS)
+ engine.setWantClientAuth(true);
Review Comment:
comment out for future improve
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
