How do I enable TLS on an Apache Arrow FlightClient in Java?

Question

The documentation for the Java Apache Arrow (v11.0.0) FlightClient.Builder has several methods related to constructing a TLS-enabled client:

• clientCertificate(InputStream clientCertificate, InputStream clientKey)
• useTls()
• overrideHostname(String hostname)
• trustedCertificates(InputStream stream)
• verifyServer(boolean verifyServer)

The descriptions aren't detailed enough for me to understand which ones are needed to enable and use TLS in connections with a FlightServer. There could easily be some gap in my understanding of TLS that would help me more easily consume this documentation.

Do I need to use all of these? Are some of them redundant? How are they related?

Answer 1

I took a look at the code that implements this API for some insights.

useTls simply tells the underlying client builder to start putting together SSL Context for the TLS-enabled client. The same effect is achieved by having the grpc+tls scheme attached to the location attribute.

The rest of the options are used for adding to the SSL Context. The context builder is provided by io.netty.handler.ssl.SslContextBuilder.

• clientCertificate(cert, key) adds the provided cert/key to the SSL Context's key manager.
• trustedCertificates(cert) adds the provided cert to the trust manager (for third party connection verification).
• verifyServer(bool) cannot be false if either of the above two are provided, since they are required to verify the server. If this is false, the trust manager will simply be set up using InsecureTrustManagerFactory.INSTANCE.
• overrideHostname(hostname) calls the underlying overrideAuthority() on the channel builder. This isn't really related to what I'm trying to do.

Do I need to use all of these (ignoring overrideHostname)? It depends on how the TLS is configured on the server the client will connect to.

Are any of them redundant? useTls() is redundant if the location attribute already has the TLS scheme attached.