Skip to content

[GOBBLIN-2238]Remove unsupported ChaCha20 cipher suites from default SSL configuration #4153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Blazer-007 merged 2 commits into from
Nov 6, 2025
Merged

[GOBBLIN-2238]Remove unsupported ChaCha20 cipher suites from default SSL configuration #4153

Blazer-007 merged 2 commits into from
Nov 6, 2025

Conversation

@pratapaditya04
Copy link
Contributor

@pratapaditya04 pratapaditya04 commented Nov 6, 2025
edited
Loading

Dear Gobblin maintainers,

Please accept this PR. I understand that it will not be reviewed until I have checked off all the steps below!

JIRA

Description

  • Here are some details about my PR, including screenshots (if applicable):

Details :

This PR removes the TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suites from Gobblin’s default gRPC SSL configuration.

These cipher suites are not supported on Java 8 (1.8.0_282 and below), and their presence was causing:
java.lang.IllegalArgumentException: Unsupported CipherSuite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
when Gobblin Temporal master or Yarn containers attempted to initialize SSL/TLS contexts during job startup.

Affected flows used Java 8u282 (java.home=/export/apps/jdk/JDK-1_8_0_282-msft/jre)
Successful flows used Java 8u172 (java.home=/export/apps/jdk/JDK-1_8_0_172/jre)
The issue surfaced because newer JDK 8 builds perform stricter cipher validation than older ones.
Fix:
Removed ChaCha20-based ciphers from the default SSL_CONFIG_DEFAULT_CIPHER_SUITES.
Retained AES-GCM-based ciphers required for HTTP/2 and supported on all JDK 8+ versions:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
.

Tests

  • My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

  • My commits all reference JIRA issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "How to write a good git commit message":
    1. Subject is separated from body by a blank line
    2. Subject is limited to 50 characters
    3. Subject does not end with a period
    4. Subject uses the imperative mood ("add", not "adding")
    5. Body wraps at 72 characters
    6. Body explains "what" and "why", not "how"

@Blazer-007 Blazer-007 merged commit 93be76b into apache:master Nov 6, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Blazer-007 Blazer-007 Blazer-007 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pratapaditya04 @Blazer-007