Configuring TLS (SSL) Verification

If you are connecting to a Drill instance that has Transport Layer Security (TLS) enabled (previously called SSL), you can configure the connector to connect to a TLS-enabled socket. When using TLS to connect to a server, the connector can be configured to verify the identity of the server.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure TLS verification:

  1. To enable TLS connections, set the enableTLS property to true.
  2. TLS provider defaults to JDK. If you are using OpenSSL as your TLS provider, set the TLSProvider property to OPENSSL. .
  3. TLS protocol defaults to TLSV1.2. If your provider is using a different version, set the TLSProtocol to the version used by your TLS provider. For a list of supported versions, see TLSProtocol.
  4. Set the TLSHandshakeTimeout to the number of milliseconds you want the connector to wait before alerting the user a connection has not been established (10000 by default).
  5. To use the java trust store:
    • Set thetrustStorePath property to the custom path for the Java TrustStore. (If this is not set, the connector uses a default path. See trustStorePath)
    • Set the trustStoreType property to the type of TrustStore used.
    • If your trust store uses a password, set the trustStorePassword property to the password.
  6. If you want to use the Windows trust store, set the useSystemTrustStore property to true.
  7. If you do not want the connector to verify the host against the certificate, set the disableHostVerification property to true.

    8. Important:

    If disableHostVerification is set to true, the connector does not verify the host in the certificate is the host being connected to.

  8. If you do not want the connector to validate the host certificate against the Trust Store, set the disableCertificateVerification property to true.

Related topics