flume-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From szabofe...@apache.org
Subject [2/2] flume git commit: FLUME-3182 add support for SSL/TLS for syslog (tcp) sources
Date Thu, 18 Oct 2018 11:45:58 GMT
FLUME-3182 add support for SSL/TLS for syslog (tcp) sources

Adding SSL/TLS support for syslog and multi port syslog sources
This change also contains some refactoring to avoid code duplication in
sources with SSL/TLS support

As SSL/TLS handling is refactored it is convinient to
add the possibility to specify enabled protocol list FLUME-3275 and
add the possibility to specify enabled cipher suite list FLUME-3276

This closes #230

Reviewers: Peter Turcsanyi, Endre Major

(Ferenc Szabo via Ferenc Szabo)


Project: http://git-wip-us.apache.org/repos/asf/flume/repo
Commit: http://git-wip-us.apache.org/repos/asf/flume/commit/965e1326
Tree: http://git-wip-us.apache.org/repos/asf/flume/tree/965e1326
Diff: http://git-wip-us.apache.org/repos/asf/flume/diff/965e1326

Branch: refs/heads/trunk
Commit: 965e13264a304d500540593288f65157cc6fdd55
Parents: 327a43d
Author: Ferenc Szabo <szaboferee@apache.org>
Authored: Thu Oct 18 13:44:21 2018 +0200
Committer: Ferenc Szabo <szaboferee@apache.org>
Committed: Thu Oct 18 13:44:21 2018 +0200

----------------------------------------------------------------------
 .../org/apache/flume/source/AvroSource.java     | 114 +-------
 .../flume/source/MultiportSyslogTCPSource.java  |  17 +-
 .../source/SslContextAwareAbstractSource.java   | 199 ++++++++++++++
 .../apache/flume/source/SyslogTcpSource.java    |  62 +++--
 .../org/apache/flume/source/ThriftSource.java   |  75 +-----
 .../apache/flume/source/http/HTTPSource.java    |  83 +++---
 .../http/HTTPSourceConfigurationConstants.java  |   4 +
 .../source/TestMultiportSyslogTCPSource.java    | 105 +++++++-
 .../flume/source/TestSyslogTcpSource.java       |  74 +++++-
 flume-ng-doc/sphinx/FlumeUserGuide.rst          | 266 ++++++++++++-------
 .../apache/flume/api/NettyAvroRpcClient.java    |  71 +++--
 .../api/RpcClientConfigurationConstants.java    |   3 +
 .../api/SSLContextAwareAbstractRpcClient.java   |  77 ++++++
 .../org/apache/flume/api/ThriftRpcClient.java   |  53 ++--
 .../java/org/apache/flume/util/SSLUtil.java     |  40 +++
 .../flume/util/AbstractSSLUtilListTest.java     |  44 +++
 .../util/SSLUtilExcludeCipherSuitesTest.java    |  49 ++++
 .../flume/util/SSLUtilExcludeProtocolsTest.java |  49 ++++
 .../util/SSLUtilIncludeCipherSuitesTest.java    |  49 ++++
 .../flume/util/SSLUtilIncludeProtocolsTest.java |  49 ++++
 20 files changed, 1073 insertions(+), 410 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
index e7b12bd..ac3d51d 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
@@ -19,7 +19,6 @@
 
 package org.apache.flume.source;
 
-import com.google.common.base.Preconditions;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 import org.apache.avro.ipc.NettyServer;
 import org.apache.avro.ipc.NettyTransceiver;
@@ -41,7 +40,6 @@ import org.apache.flume.instrumentation.SourceCounter;
 import org.apache.flume.source.avro.AvroFlumeEvent;
 import org.apache.flume.source.avro.AvroSourceProtocol;
 import org.apache.flume.source.avro.Status;
-import org.apache.flume.util.SSLUtil;
 import org.jboss.netty.channel.ChannelPipeline;
 import org.jboss.netty.channel.ChannelPipelineFactory;
 import org.jboss.netty.channel.Channels;
@@ -55,22 +53,19 @@ import org.jboss.netty.handler.ssl.SslHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import java.io.FileInputStream;
+
 import java.net.InetSocketAddress;
-import java.security.KeyStore;
-import java.security.Security;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Supplier;
 
 /**
  * <p>
@@ -127,7 +122,7 @@ import java.util.concurrent.TimeUnit;
  * TODO
  * </p>
  */
-public class AvroSource extends AbstractSource implements EventDrivenSource,
+public class AvroSource extends SslContextAwareAbstractSource implements EventDrivenSource,
     Configurable, AvroSourceProtocol {
 
   private static final String THREADS = "threads";
@@ -138,21 +133,11 @@ public class AvroSource extends AbstractSource implements EventDrivenSource,
   private static final String PORT_KEY = "port";
   private static final String BIND_KEY = "bind";
   private static final String COMPRESSION_TYPE = "compression-type";
-  private static final String SSL_KEY = "ssl";
   private static final String IP_FILTER_KEY = "ipFilter";
   private static final String IP_FILTER_RULES_KEY = "ipFilterRules";
-  private static final String KEYSTORE_KEY = "keystore";
-  private static final String KEYSTORE_PASSWORD_KEY = "keystore-password";
-  private static final String KEYSTORE_TYPE_KEY = "keystore-type";
-  private static final String EXCLUDE_PROTOCOLS = "exclude-protocols";
   private int port;
   private String bindAddress;
   private String compressionType;
-  private String keystore;
-  private String keystorePassword;
-  private String keystoreType;
-  private final List<String> excludeProtocols = new LinkedList<String>();
-  private boolean enableSsl = false;
   private boolean enableIpFilter;
   private String patternRuleConfigDefinition;
 
@@ -167,6 +152,7 @@ public class AvroSource extends AbstractSource implements EventDrivenSource,
 
   @Override
   public void configure(Context context) {
+    configureSsl(context);
     Configurables.ensureRequiredNonNull(context, PORT_KEY, BIND_KEY);
 
     port = context.getInteger(PORT_KEY);
@@ -180,35 +166,6 @@ public class AvroSource extends AbstractSource implements EventDrivenSource,
               context.getString(THREADS));
     }
 
-    enableSsl = context.getBoolean(SSL_KEY, false);
-    keystore = context.getString(KEYSTORE_KEY, SSLUtil.getGlobalKeystorePath());
-    keystorePassword = context.getString(KEYSTORE_PASSWORD_KEY,
-        SSLUtil.getGlobalKeystorePassword());
-    keystoreType = context.getString(KEYSTORE_TYPE_KEY, SSLUtil.getGlobalKeystoreType("JKS"));
-    String excludeProtocolsStr = context.getString(EXCLUDE_PROTOCOLS);
-    if (excludeProtocolsStr == null) {
-      excludeProtocols.add("SSLv3");
-    } else {
-      excludeProtocols.addAll(Arrays.asList(excludeProtocolsStr.split(" ")));
-      if (!excludeProtocols.contains("SSLv3")) {
-        excludeProtocols.add("SSLv3");
-      }
-    }
-
-    if (enableSsl) {
-      Preconditions.checkNotNull(keystore,
-          KEYSTORE_KEY + " must be specified when SSL is enabled");
-      Preconditions.checkNotNull(keystorePassword,
-          KEYSTORE_PASSWORD_KEY + " must be specified when SSL is enabled");
-      try {
-        KeyStore ks = KeyStore.getInstance(keystoreType);
-        ks.load(new FileInputStream(keystore), keystorePassword.toCharArray());
-      } catch (Exception ex) {
-        throw new FlumeException(
-            "Avro source configured with invalid keystore: " + keystore, ex);
-      }
-    }
-
     enableIpFilter = context.getBoolean(IP_FILTER_KEY, false);
     if (enableIpFilter) {
       patternRuleConfigDefinition = context.getString(IP_FILTER_RULES_KEY);
@@ -283,11 +240,10 @@ public class AvroSource extends AbstractSource implements EventDrivenSource,
   private ChannelPipelineFactory initChannelPipelineFactory() {
     ChannelPipelineFactory pipelineFactory;
     boolean enableCompression = compressionType.equalsIgnoreCase("deflate");
-    if (enableCompression || enableSsl || enableIpFilter) {
+    if (enableCompression || isSslEnabled() || enableIpFilter) {
       pipelineFactory = new AdvancedChannelPipelineFactory(
-        enableCompression, enableSsl, keystore,
-        keystorePassword, keystoreType, enableIpFilter,
-        patternRuleConfigDefinition);
+        enableCompression, enableIpFilter,
+        patternRuleConfigDefinition, getSslEngineSupplier(false));
     } else {
       pipelineFactory = Channels::pipeline;
     }
@@ -455,52 +411,19 @@ public class AvroSource extends AbstractSource implements EventDrivenSource,
       implements ChannelPipelineFactory {
 
     private boolean enableCompression;
-    private boolean enableSsl;
-    private String keystore;
-    private String keystorePassword;
-    private String keystoreType;
 
     private boolean enableIpFilter;
     private String patternRuleConfigDefinition;
+    private Supplier<Optional<SSLEngine>> sslEngineSupplier;
 
-    public AdvancedChannelPipelineFactory(boolean enableCompression,
-        boolean enableSsl, String keystore, String keystorePassword,
-        String keystoreType, boolean enableIpFilter,
-        String patternRuleConfigDefinition) {
+    public AdvancedChannelPipelineFactory(boolean enableCompression, boolean enableIpFilter,
+        String patternRuleConfigDefinition, Supplier<Optional<SSLEngine>> sslEngineSupplier) {
       this.enableCompression = enableCompression;
-      this.enableSsl = enableSsl;
-      this.keystore = keystore;
-      this.keystorePassword = keystorePassword;
-      this.keystoreType = keystoreType;
       this.enableIpFilter = enableIpFilter;
       this.patternRuleConfigDefinition = patternRuleConfigDefinition;
+      this.sslEngineSupplier = sslEngineSupplier;
     }
 
-    private SSLContext createServerSSLContext() {
-      try {
-        KeyStore ks = KeyStore.getInstance(keystoreType);
-        ks.load(new FileInputStream(keystore), keystorePassword.toCharArray());
-
-        // Set up key manager factory to use our key store
-        KeyManagerFactory kmf = KeyManagerFactory.getInstance(getAlgorithm());
-        kmf.init(ks, keystorePassword.toCharArray());
-
-        SSLContext serverContext = SSLContext.getInstance("TLS");
-        serverContext.init(kmf.getKeyManagers(), null, null);
-        return serverContext;
-      } catch (Exception e) {
-        throw new Error("Failed to initialize the server-side SSLContext", e);
-      }
-    }
-
-    private String getAlgorithm() {
-      String algorithm = Security.getProperty(
-          "ssl.KeyManagerFactory.algorithm");
-      if (algorithm == null) {
-        algorithm = "SunX509";
-      }
-      return algorithm;
-    }
 
     @Override
     public ChannelPipeline getPipeline() throws Exception {
@@ -511,23 +434,14 @@ public class AvroSource extends AbstractSource implements EventDrivenSource,
         pipeline.addFirst("inflater", new ZlibDecoder());
       }
 
-      if (enableSsl) {
-        SSLEngine sslEngine = createServerSSLContext().createSSLEngine();
-        sslEngine.setUseClientMode(false);
-        List<String> enabledProtocols = new ArrayList<String>();
-        for (String protocol : sslEngine.getEnabledProtocols()) {
-          if (!excludeProtocols.contains(protocol)) {
-            enabledProtocols.add(protocol);
-          }
-        }
-        sslEngine.setEnabledProtocols(enabledProtocols.toArray(new String[0]));
+      sslEngineSupplier.get().ifPresent(sslEngine -> {
         logger.info("SSLEngine protocols enabled: " +
             Arrays.asList(sslEngine.getEnabledProtocols()));
         // addFirst() will make SSL handling the first stage of decoding
         // and the last stage of encoding this must be added after
         // adding compression handling above
         pipeline.addFirst("ssl", new SslHandler(sslEngine));
-      }
+      });
 
       if (enableIpFilter) {
 

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/MultiportSyslogTCPSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/MultiportSyslogTCPSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/MultiportSyslogTCPSource.java
index 82cb2f2..d6abd37 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/MultiportSyslogTCPSource.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/MultiportSyslogTCPSource.java
@@ -21,6 +21,7 @@ package org.apache.flume.source;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Throwables;
 import com.google.common.collect.Lists;
+
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.charset.Charset;
@@ -30,6 +31,9 @@ import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
+
+import javax.net.ssl.SSLParameters;
+
 import org.apache.flume.Context;
 import org.apache.flume.Event;
 import org.apache.flume.EventDrivenSource;
@@ -43,6 +47,7 @@ import org.apache.mina.core.buffer.IoBuffer;
 import org.apache.mina.core.service.IoHandlerAdapter;
 import org.apache.mina.core.session.IdleStatus;
 import org.apache.mina.core.session.IoSession;
+import org.apache.mina.filter.ssl.SslFilter;
 import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -50,7 +55,7 @@ import org.slf4j.LoggerFactory;
 /**
  *
  */
-public class MultiportSyslogTCPSource extends AbstractSource implements
+public class MultiportSyslogTCPSource extends SslContextAwareAbstractSource implements
         EventDrivenSource, Configurable, BatchSizeSupported {
 
   public static final Logger logger = LoggerFactory.getLogger(
@@ -77,6 +82,7 @@ public class MultiportSyslogTCPSource extends AbstractSource implements
 
   @Override
   public void configure(Context context) {
+    configureSsl(context);
     String portsStr = context.getString(
             SyslogSourceConfigurationConstants.CONFIG_PORTS);
 
@@ -161,6 +167,15 @@ public class MultiportSyslogTCPSource extends AbstractSource implements
     } else {
       acceptor = new NioSocketAcceptor();
     }
+
+    getSslContextSupplier().get().ifPresent(sslContext -> {
+      SslFilter filter = new SslFilter(sslContext);
+      SSLParameters sslParameters = sslContext.getDefaultSSLParameters();
+      filter.setEnabledProtocols(getFilteredProtocols(sslParameters));
+      filter.setEnabledCipherSuites(getFilteredCipherSuites(sslParameters));
+      acceptor.getFilterChain().addFirst("ssl", filter);
+    });
+
     acceptor.setReuseAddress(true);
     acceptor.getSessionConfig().setReadBufferSize(readBufferSize);
     acceptor.getSessionConfig().setIdleTime(IdleStatus.BOTH_IDLE, 10);

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/SslContextAwareAbstractSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/SslContextAwareAbstractSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/SslContextAwareAbstractSource.java
new file mode 100644
index 0000000..f220ae2
--- /dev/null
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/SslContextAwareAbstractSource.java
@@ -0,0 +1,199 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.flume.source;
+
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.util.Arrays;
+import java.util.LinkedHashSet;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.Supplier;
+import java.util.stream.Stream;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+
+import org.apache.flume.Context;
+import org.apache.flume.FlumeException;
+import org.apache.flume.util.SSLUtil;
+
+public abstract class SslContextAwareAbstractSource extends AbstractSource {
+  private static final String SSL_ENABLED_KEY = "ssl";
+  private static final boolean SSL_ENABLED_DEFAULT_VALUE = false;
+  private static final String KEYSTORE_KEY = "keystore";
+  private static final String KEYSTORE_PASSWORD_KEY = "keystore-password";
+  private static final String KEYSTORE_TYPE_KEY = "keystore-type";
+  private static final String KEYSTORE_TYPE_DEFAULT_VALUE = "JKS";
+
+  private static final String EXCLUDE_PROTOCOLS = "exclude-protocols";
+  private static final String INCLUDE_PROTOCOLS = "include-protocols";
+
+  private static final String EXCLUDE_CIPHER_SUITES = "exclude-cipher-suites";
+  private static final String INCLUDE_CIPHER_SUITES = "include-cipher-suites";
+
+  private String keystore;
+  private String keystorePassword;
+  private String keystoreType;
+  private boolean sslEnabled = false;
+  private final Set<String> excludeProtocols = new LinkedHashSet<>(Arrays.asList("SSLv3"));
+  private final Set<String> includeProtocols = new LinkedHashSet<>();
+  private final Set<String> excludeCipherSuites = new LinkedHashSet<>();
+  private final Set<String> includeCipherSuites = new LinkedHashSet<>();
+
+
+  public String getKeystore() {
+    return keystore;
+  }
+
+  public String getKeystorePassword() {
+    return keystorePassword;
+  }
+
+  public String getKeystoreType() {
+    return keystoreType;
+  }
+
+  public Set<String> getExcludeProtocols() {
+    return excludeProtocols;
+  }
+
+  public Set<String> getIncludeProtocols() {
+    return includeProtocols;
+  }
+
+  public Set<String> getExcludeCipherSuites() {
+    return excludeCipherSuites;
+  }
+
+  public Set<String> getIncludeCipherSuites() {
+    return includeCipherSuites;
+  }
+
+  public boolean isSslEnabled() {
+    return sslEnabled;
+  }
+
+  protected void configureSsl(Context context) {
+    sslEnabled = context.getBoolean(SSL_ENABLED_KEY, SSL_ENABLED_DEFAULT_VALUE);
+    keystore = context.getString(KEYSTORE_KEY, SSLUtil.getGlobalKeystorePath());
+    keystorePassword = context.getString(
+        KEYSTORE_PASSWORD_KEY, SSLUtil.getGlobalKeystorePassword());
+    keystoreType = context.getString(
+        KEYSTORE_TYPE_KEY, SSLUtil.getGlobalKeystoreType(KEYSTORE_TYPE_DEFAULT_VALUE));
+
+    parseList(context.getString(EXCLUDE_PROTOCOLS, SSLUtil.getGlobalExcludeProtocols()),
+        excludeProtocols);
+    parseList(context.getString(INCLUDE_PROTOCOLS, SSLUtil.getGlobalIncludeProtocols()),
+        includeProtocols);
+    parseList(context.getString(EXCLUDE_CIPHER_SUITES, SSLUtil.getGlobalExcludeCipherSuites()),
+        excludeCipherSuites);
+    parseList(context.getString(INCLUDE_CIPHER_SUITES, SSLUtil.getGlobalIncludeCipherSuites()),
+        includeCipherSuites);
+
+    if (sslEnabled) {
+      Objects.requireNonNull(keystore,
+          KEYSTORE_KEY + " must be specified when SSL is enabled");
+      Objects.requireNonNull(keystorePassword,
+          KEYSTORE_PASSWORD_KEY + " must be specified when SSL is enabled");
+      try {
+        KeyStore ks = KeyStore.getInstance(keystoreType);
+        ks.load(new FileInputStream(keystore), keystorePassword.toCharArray());
+      } catch (Exception ex) {
+        throw new FlumeException(
+          "Source " + getName() + " configured with invalid keystore: " + keystore, ex);
+      }
+    }
+  }
+
+  private Optional<SSLContext> getSslContext() {
+    if (sslEnabled) {
+      try {
+        KeyStore ks = KeyStore.getInstance(keystoreType);
+        ks.load(new FileInputStream(keystore), keystorePassword.toCharArray());
+
+        // can be set with "ssl.KeyManagerFactory.algorithm"
+        String algorithm = KeyManagerFactory.getDefaultAlgorithm();
+        // Set up key manager factory to use our key store
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
+        kmf.init(ks, keystorePassword.toCharArray());
+
+        SSLContext serverContext = SSLContext.getInstance("TLS");
+        serverContext.init(kmf.getKeyManagers(), null, null);
+
+        return Optional.of(serverContext);
+      } catch (Exception e) {
+        throw new Error("Failed to initialize the server-side SSLContext", e);
+      }
+    } else {
+      return Optional.empty();
+    }
+  }
+
+  private Optional<SSLEngine> getSslEngine(boolean useClientMode) {
+    return getSslContext().map(sslContext -> {
+      SSLEngine sslEngine = sslContext.createSSLEngine();
+      sslEngine.setUseClientMode(useClientMode);
+      sslEngine.setEnabledProtocols(
+          getFilteredProtocols(sslEngine.getEnabledProtocols()));
+      sslEngine.setEnabledCipherSuites(
+          getFilteredCipherSuites(sslEngine.getEnabledCipherSuites()));
+      return sslEngine;
+    });
+  }
+
+  protected Supplier<Optional<SSLContext>> getSslContextSupplier() {
+    return this::getSslContext;
+  }
+
+
+  protected Supplier<Optional<SSLEngine>> getSslEngineSupplier(boolean useClientMode) {
+    return () -> getSslEngine(useClientMode);
+  }
+
+  protected String[] getFilteredProtocols(SSLParameters sslParameters) {
+    return getFilteredProtocols(sslParameters.getProtocols());
+  }
+
+  private String[] getFilteredProtocols(String[] enabledProtocols) {
+    return Stream.of(enabledProtocols)
+      .filter(o -> includeProtocols.isEmpty() || includeProtocols.contains(o))
+      .filter(o -> !excludeProtocols.contains(o) )
+      .toArray(String[]::new);
+  }
+
+  protected String[] getFilteredCipherSuites(SSLParameters sslParameters) {
+    return getFilteredCipherSuites(sslParameters.getCipherSuites());
+  }
+
+  private String[] getFilteredCipherSuites(String[] enabledCipherSuites) {
+    return Stream.of(enabledCipherSuites)
+      .filter(o -> includeCipherSuites.isEmpty() || includeCipherSuites.contains(o))
+      .filter(o -> !excludeCipherSuites.contains(o))
+      .toArray(String[]::new);
+  }
+
+  private void parseList(String value, Set<String> set) {
+    if (Objects.nonNull(value)) {
+      set.addAll(Arrays.asList(value.split(" ")));
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/SyslogTcpSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/SyslogTcpSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/SyslogTcpSource.java
index 1a0432c..067c21b 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/SyslogTcpSource.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/SyslogTcpSource.java
@@ -21,9 +21,13 @@ package org.apache.flume.source;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Supplier;
+
+import javax.net.ssl.SSLEngine;
 
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.flume.ChannelException;
@@ -44,6 +48,7 @@ import org.jboss.netty.channel.Channels;
 import org.jboss.netty.channel.MessageEvent;
 import org.jboss.netty.channel.SimpleChannelHandler;
 import org.jboss.netty.channel.socket.nio.NioServerSocketChannelFactory;
+import org.jboss.netty.handler.ssl.SslHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -51,8 +56,8 @@ import org.slf4j.LoggerFactory;
  * @deprecated use {@link MultiportSyslogTCPSource} instead.
  */
 @Deprecated
-public class SyslogTcpSource extends AbstractSource
-                             implements EventDrivenSource, Configurable {
+public class SyslogTcpSource extends SslContextAwareAbstractSource
+    implements EventDrivenSource, Configurable {
   private static final Logger logger = LoggerFactory.getLogger(SyslogTcpSource.class);
 
   private int port;
@@ -113,17 +118,10 @@ public class SyslogTcpSource extends AbstractSource
         Executors.newCachedThreadPool(), Executors.newCachedThreadPool());
 
     ServerBootstrap serverBootstrap = new ServerBootstrap(factory);
-    serverBootstrap.setPipelineFactory(new ChannelPipelineFactory() {
-      @Override
-      public ChannelPipeline getPipeline() {
-        syslogTcpHandler handler = new syslogTcpHandler();
-        handler.setEventSize(eventSize);
-        handler.setFormater(formaterProp);
-        handler.setKeepFields(keepFields);
-        return Channels.pipeline(handler);
-      }
-    });
 
+    serverBootstrap.setPipelineFactory(new PipelineFactory(
+        eventSize, formaterProp, keepFields, getSslEngineSupplier(false)
+    ));
     logger.info("Syslog TCP Source starting...");
 
     if (host == null) {
@@ -158,17 +156,18 @@ public class SyslogTcpSource extends AbstractSource
 
   @Override
   public void configure(Context context) {
+    configureSsl(context);
     Configurables.ensureRequiredNonNull(context,
         SyslogSourceConfigurationConstants.CONFIG_PORT);
     port = context.getInteger(SyslogSourceConfigurationConstants.CONFIG_PORT);
     host = context.getString(SyslogSourceConfigurationConstants.CONFIG_HOST);
     eventSize = context.getInteger("eventSize", SyslogUtils.DEFAULT_SIZE);
     formaterProp = context.getSubProperties(
-        SyslogSourceConfigurationConstants.CONFIG_FORMAT_PREFIX);
+      SyslogSourceConfigurationConstants.CONFIG_FORMAT_PREFIX);
     keepFields = SyslogUtils.chooseFieldsToKeep(
-        context.getString(
-            SyslogSourceConfigurationConstants.CONFIG_KEEP_FIELDS,
-            SyslogSourceConfigurationConstants.DEFAULT_KEEP_FIELDS));
+      context.getString(
+        SyslogSourceConfigurationConstants.CONFIG_KEEP_FIELDS,
+        SyslogSourceConfigurationConstants.DEFAULT_KEEP_FIELDS));
 
     if (sourceCounter == null) {
       sourceCounter = new SourceCounter(getName());
@@ -189,4 +188,35 @@ public class SyslogTcpSource extends AbstractSource
   SourceCounter getSourceCounter() {
     return sourceCounter;
   }
+
+  private class PipelineFactory implements ChannelPipelineFactory {
+    private final Integer eventSize;
+    private final Map<String, String> formaterProp;
+    private final Set<String> keepFields;
+    private Supplier<Optional<SSLEngine>> sslEngineSupplier;
+
+    public PipelineFactory(Integer eventSize, Map<String, String> formaterProp,
+        Set<String> keepFields, Supplier<Optional<SSLEngine>> sslEngineSupplier) {
+      this.eventSize = eventSize;
+      this.formaterProp = formaterProp;
+      this.keepFields = keepFields;
+      this.sslEngineSupplier = sslEngineSupplier;
+    }
+
+    @Override
+    public ChannelPipeline getPipeline() {
+      syslogTcpHandler handler = new syslogTcpHandler();
+      handler.setEventSize(eventSize);
+      handler.setFormater(formaterProp);
+      handler.setKeepFields(keepFields);
+
+      ChannelPipeline pipeline = Channels.pipeline(handler);
+
+      sslEngineSupplier.get().ifPresent(sslEngine -> {
+        pipeline.addFirst("ssl", new SslHandler(sslEngine));
+      });
+
+      return pipeline;
+    }
+  }
 }

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/ThriftSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/ThriftSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/ThriftSource.java
index 637c42e..af33cf2 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/ThriftSource.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/ThriftSource.java
@@ -34,7 +34,6 @@ import org.apache.flume.instrumentation.SourceCounter;
 import org.apache.flume.thrift.Status;
 import org.apache.flume.thrift.ThriftSourceProtocol;
 import org.apache.flume.thrift.ThriftFlumeEvent;
-import org.apache.flume.util.SSLUtil;
 import org.apache.thrift.TException;
 import org.apache.thrift.protocol.TCompactProtocol;
 import org.apache.thrift.protocol.TBinaryProtocol;
@@ -54,19 +53,14 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLServerSocket;
 import javax.security.sasl.Sasl;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.lang.reflect.Method;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.ServerSocket;
-import java.security.KeyStore;
-import java.security.Security;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.HashMap;
@@ -76,7 +70,8 @@ import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.TimeUnit;
 import java.security.PrivilegedAction;
 
-public class ThriftSource extends AbstractSource implements Configurable, EventDrivenSource {
+public class ThriftSource extends SslContextAwareAbstractSource
+    implements Configurable, EventDrivenSource {
 
   public static final Logger logger = LoggerFactory.getLogger(ThriftSource.class);
 
@@ -100,12 +95,6 @@ public class ThriftSource extends AbstractSource implements Configurable, EventD
   public static final String BINARY_PROTOCOL = "binary";
   public static final String COMPACT_PROTOCOL = "compact";
 
-  private static final String SSL_KEY = "ssl";
-  private static final String KEYSTORE_KEY = "keystore";
-  private static final String KEYSTORE_PASSWORD_KEY = "keystore-password";
-  private static final String KEYSTORE_TYPE_KEY = "keystore-type";
-  private static final String EXCLUDE_PROTOCOLS = "exclude-protocols";
-
   private static final String KERBEROS_KEY = "kerberos";
   private static final String AGENT_PRINCIPAL = "agent-principal";
   private static final String AGENT_KEYTAB = "agent-keytab";
@@ -117,17 +106,13 @@ public class ThriftSource extends AbstractSource implements Configurable, EventD
   private TServer server;
   private ExecutorService servingExecutor;
   private String protocol;
-  private String keystore;
-  private String keystorePassword;
-  private String keystoreType;
-  private final List<String> excludeProtocols = new LinkedList<String>();
-  private boolean enableSsl = false;
   private boolean enableKerberos = false;
   private String principal;
   private FlumeAuthenticator flumeAuth;
 
   @Override
   public void configure(Context context) {
+    configureSsl(context);
     logger.info("Configuring thrift source.");
     port = context.getInteger(CONFIG_PORT);
     Preconditions.checkNotNull(port, "Port must be specified for Thrift " +
@@ -159,34 +144,6 @@ public class ThriftSource extends AbstractSource implements Configurable, EventD
         "binary or compact are the only valid Thrift protocol types to " +
                 "choose from.");
 
-    enableSsl = context.getBoolean(SSL_KEY, false);
-    if (enableSsl) {
-      keystore = context.getString(KEYSTORE_KEY, SSLUtil.getGlobalKeystorePath());
-      keystorePassword = context.getString(KEYSTORE_PASSWORD_KEY,
-          SSLUtil.getGlobalKeystorePassword());
-      keystoreType = context.getString(KEYSTORE_TYPE_KEY, SSLUtil.getGlobalKeystoreType("JKS"));
-      String excludeProtocolsStr = context.getString(EXCLUDE_PROTOCOLS);
-      if (excludeProtocolsStr == null) {
-        excludeProtocols.add("SSLv3");
-      } else {
-        excludeProtocols.addAll(Arrays.asList(excludeProtocolsStr.split(" ")));
-        if (!excludeProtocols.contains("SSLv3")) {
-          excludeProtocols.add("SSLv3");
-        }
-      }
-      Preconditions.checkNotNull(keystore,
-              KEYSTORE_KEY + " must be specified when SSL is enabled");
-      Preconditions.checkNotNull(keystorePassword,
-              KEYSTORE_PASSWORD_KEY + " must be specified when SSL is enabled");
-      try {
-        KeyStore ks = KeyStore.getInstance(keystoreType);
-        ks.load(new FileInputStream(keystore), keystorePassword.toCharArray());
-      } catch (Exception ex) {
-        throw new FlumeException(
-                "Thrift source configured with invalid keystore: " + keystore, ex);
-      }
-    }
-
     principal = context.getString(AGENT_PRINCIPAL);
     String keytab = context.getString(AGENT_KEYTAB);
     enableKerberos = context.getBoolean(KERBEROS_KEY, false);
@@ -250,33 +207,23 @@ public class ThriftSource extends AbstractSource implements Configurable, EventD
     super.start();
   }
 
-  private String getkeyManagerAlgorithm() {
-    String algorithm = Security.getProperty(
-            "ssl.KeyManagerFactory.algorithm");
-    return (algorithm != null) ?
-            algorithm : KeyManagerFactory.getDefaultAlgorithm();
-  }
-
   private TServerTransport getSSLServerTransport() {
     try {
       TServerTransport transport;
       TSSLTransportFactory.TSSLTransportParameters params =
               new TSSLTransportFactory.TSSLTransportParameters();
 
-      params.setKeyStore(keystore, keystorePassword, getkeyManagerAlgorithm(), keystoreType);
+      params.setKeyStore(getKeystore(), getKeystorePassword(),
+          KeyManagerFactory.getDefaultAlgorithm(), getKeystoreType());
       transport = TSSLTransportFactory.getServerSocket(
               port, 120000, InetAddress.getByName(bindAddress), params);
 
       ServerSocket serverSock = ((TServerSocket) transport).getServerSocket();
       if (serverSock instanceof SSLServerSocket) {
         SSLServerSocket sslServerSock = (SSLServerSocket) serverSock;
-        List<String> enabledProtocols = new ArrayList<String>();
-        for (String protocol : sslServerSock.getEnabledProtocols()) {
-          if (!excludeProtocols.contains(protocol)) {
-            enabledProtocols.add(protocol);
-          }
-        }
-        sslServerSock.setEnabledProtocols(enabledProtocols.toArray(new String[0]));
+        SSLParameters sslParameters = sslServerSock.getSSLParameters();
+        sslServerSock.setEnabledCipherSuites(getFilteredCipherSuites(sslParameters));
+        sslServerSock.setEnabledProtocols(getFilteredProtocols(sslParameters));
       }
       return transport;
     } catch (Throwable throwable) {
@@ -303,7 +250,7 @@ public class ThriftSource extends AbstractSource implements Configurable, EventD
   }
 
   private TServer getTThreadedSelectorServer() {
-    if (enableSsl || enableKerberos) {
+    if (isSslEnabled() || enableKerberos) {
       return null;
     }
     Class<?> serverClass;
@@ -353,7 +300,7 @@ public class ThriftSource extends AbstractSource implements Configurable, EventD
 
   private TServer getTThreadPoolServer() {
     TServerTransport serverTransport;
-    if (enableSsl) {
+    if (isSslEnabled()) {
       serverTransport = getSSLServerTransport();
     } else {
       serverTransport = getTServerTransport();

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
index e9324fb..f2c881c 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
@@ -25,10 +25,9 @@ import org.apache.flume.Event;
 import org.apache.flume.EventDrivenSource;
 import org.apache.flume.conf.Configurable;
 import org.apache.flume.instrumentation.SourceCounter;
-import org.apache.flume.source.AbstractSource;
+import org.apache.flume.source.SslContextAwareAbstractSource;
 import org.apache.flume.tools.FlumeBeanConfigurator;
 import org.apache.flume.tools.HTTPServerConstraintUtil;
-import org.apache.flume.util.SSLUtil;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.SecureRequestCustomizer;
@@ -49,9 +48,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.lang.management.ManagementFactory;
-import java.util.Arrays;
 import java.util.Collections;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
@@ -79,7 +76,7 @@ import java.util.Map;
  * A JSON handler which converts JSON objects to Flume events is provided.
  *
  */
-public class HTTPSource extends AbstractSource implements
+public class HTTPSource extends SslContextAwareAbstractSource implements
         EventDrivenSource, Configurable {
   /*
    * There are 2 ways of doing this:
@@ -101,21 +98,13 @@ public class HTTPSource extends AbstractSource implements
   private HTTPSourceHandler handler;
   private SourceCounter sourceCounter;
 
-  // SSL configuration variable
-  private volatile String keyStorePath;
-  private volatile String keyStorePassword;
-  private volatile Boolean sslEnabled;
-  private final List<String> excludedProtocols = new LinkedList<String>();
-
   private Context sourceContext;
 
   @Override
   public void configure(Context context) {
+    configureSsl(context);
     sourceContext = context;
     try {
-      // SSL related config
-      sslEnabled = context.getBoolean(HTTPSourceConfigurationConstants.SSL_ENABLED, false);
-
       port = context.getInteger(HTTPSourceConfigurationConstants.CONFIG_PORT);
       host = context.getString(HTTPSourceConfigurationConstants.CONFIG_BIND,
           HTTPSourceConfigurationConstants.DEFAULT_BIND);
@@ -129,29 +118,6 @@ public class HTTPSource extends AbstractSource implements
               HTTPSourceConfigurationConstants.CONFIG_HANDLER,
               HTTPSourceConfigurationConstants.DEFAULT_HANDLER).trim();
 
-      if (sslEnabled) {
-        LOG.debug("SSL configuration enabled");
-        keyStorePath = context.getString(HTTPSourceConfigurationConstants.SSL_KEYSTORE,
-                SSLUtil.getGlobalKeystorePath());
-        Preconditions.checkArgument(keyStorePath != null && !keyStorePath.isEmpty(),
-                                    "Keystore is required for SSL Conifguration" );
-        keyStorePassword = context.getString(
-                HTTPSourceConfigurationConstants.SSL_KEYSTORE_PASSWORD,
-                SSLUtil.getGlobalKeystorePassword());
-        Preconditions.checkArgument(keyStorePassword != null,
-            "Keystore password is required for SSL Configuration");
-        String excludeProtocolsStr =
-            context.getString(HTTPSourceConfigurationConstants.EXCLUDE_PROTOCOLS);
-        if (excludeProtocolsStr == null) {
-          excludedProtocols.add("SSLv3");
-        } else {
-          excludedProtocols.addAll(Arrays.asList(excludeProtocolsStr.split(" ")));
-          if (!excludedProtocols.contains("SSLv3")) {
-            excludedProtocols.add("SSLv3");
-          }
-        }
-      }
-
       @SuppressWarnings("unchecked")
       Class<? extends HTTPSourceHandler> clazz =
               (Class<? extends HTTPSourceHandler>)
@@ -199,24 +165,25 @@ public class HTTPSource extends AbstractSource implements
     httpConfiguration.addCustomizer(new SecureRequestCustomizer());
 
     FlumeBeanConfigurator.setConfigurationFields(httpConfiguration, sourceContext);
-    ServerConnector connector;
-
-    if (sslEnabled) {
+    ServerConnector connector = getSslContextSupplier().get().map(sslContext -> {
       SslContextFactory sslCtxFactory = new SslContextFactory();
+      sslCtxFactory.setSslContext(sslContext);
+      sslCtxFactory.setExcludeProtocols(getExcludeProtocols().toArray(new String[]{}));
+      sslCtxFactory.setIncludeProtocols(getIncludeProtocols().toArray(new String[]{}));
+      sslCtxFactory.setExcludeCipherSuites(getExcludeCipherSuites().toArray(new String[]{}));
+      sslCtxFactory.setIncludeCipherSuites(getIncludeCipherSuites().toArray(new String[]{}));
+
       FlumeBeanConfigurator.setConfigurationFields(sslCtxFactory, sourceContext);
-      sslCtxFactory.setExcludeProtocols(excludedProtocols.toArray(new String[0]));
-      sslCtxFactory.setKeyStorePath(keyStorePath);
-      sslCtxFactory.setKeyStorePassword(keyStorePassword);
-      
+
       httpConfiguration.setSecurePort(port);
       httpConfiguration.setSecureScheme("https");
 
-      connector = new ServerConnector(srv,
-          new SslConnectionFactory(sslCtxFactory,HttpVersion.HTTP_1_1.asString()),
-          new HttpConnectionFactory(httpConfiguration));
-    } else {
-      connector = new ServerConnector(srv, new HttpConnectionFactory(httpConfiguration));
-    }
+      return new ServerConnector(srv,
+        new SslConnectionFactory(sslCtxFactory, HttpVersion.HTTP_1_1.asString()),
+        new HttpConnectionFactory(httpConfiguration));
+    }).orElse(
+        new ServerConnector(srv, new HttpConnectionFactory(httpConfiguration))
+    );
 
     connector.setPort(port);
     connector.setHost(host);
@@ -315,4 +282,20 @@ public class HTTPSource extends AbstractSource implements
       doPost(request, response);
     }
   }
+
+  @Override
+  protected void configureSsl(Context context) {
+    handleDeprecatedParameter(context, "ssl", "enableSSL");
+    handleDeprecatedParameter(context, "exclude-protocols", "excludeProtocols");
+    handleDeprecatedParameter(context, "keystore-password", "keystorePassword");
+
+    super.configureSsl(context);
+  }
+
+  private void handleDeprecatedParameter(Context context, String newParam, String oldParam) {
+    if (!context.containsKey(newParam) && context.containsKey(oldParam)) {
+      context.put(newParam, context.getString(oldParam));
+    }
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java
index f1f7a90..ff59d38 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSourceConfigurationConstants.java
@@ -35,9 +35,13 @@ public class HTTPSourceConfigurationConstants {
   public static final String DEFAULT_HANDLER =
           "org.apache.flume.source.http.JSONHandler";
 
+  @Deprecated
   public static final String SSL_KEYSTORE = "keystore";
+  @Deprecated
   public static final String SSL_KEYSTORE_PASSWORD = "keystorePassword";
+  @Deprecated
   public static final String SSL_ENABLED = "enableSSL";
+  @Deprecated
   public static final String EXCLUDE_PROTOCOLS = "excludeProtocols";
 
 }

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/test/java/org/apache/flume/source/TestMultiportSyslogTCPSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/test/java/org/apache/flume/source/TestMultiportSyslogTCPSource.java b/flume-ng-core/src/test/java/org/apache/flume/source/TestMultiportSyslogTCPSource.java
index 8155a12..f132152 100644
--- a/flume-ng-core/src/test/java/org/apache/flume/source/TestMultiportSyslogTCPSource.java
+++ b/flume-ng-core/src/test/java/org/apache/flume/source/TestMultiportSyslogTCPSource.java
@@ -30,6 +30,7 @@ import java.net.SocketAddress;
 import java.net.UnknownHostException;
 import java.nio.charset.CharacterCodingException;
 import java.nio.charset.Charset;
+import java.security.cert.X509Certificate;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Iterator;
@@ -37,6 +38,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
+import java.util.function.BiConsumer;
+
 import org.apache.flume.Channel;
 import org.apache.flume.ChannelException;
 import org.apache.flume.ChannelSelector;
@@ -63,6 +66,11 @@ import org.mockito.internal.util.reflection.Whitebox;
 
 import static org.mockito.Mockito.*;
 
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 public class TestMultiportSyslogTCPSource {
 
   private static final int getFreePort() throws IOException {
@@ -89,8 +97,9 @@ public class TestMultiportSyslogTCPSource {
   }
 
   private List<Integer> testNPorts(MultiportSyslogTCPSource source, Channel channel,
-                                   List<Event> channelEvents, int numPorts,
-                                   ChannelProcessor channelProcessor) throws IOException {
+      List<Event> channelEvents, int numPorts, ChannelProcessor channelProcessor,
+      BiConsumer<Integer, byte[]> eventSenderFuncton, Context additionalContext)
+      throws IOException {
     Context channelContext = new Context();
     channelContext.put("capacity", String.valueOf(2000));
     channelContext.put("transactionCapacity", String.valueOf(2000));
@@ -123,15 +132,12 @@ public class TestMultiportSyslogTCPSource {
     Context context = new Context();
     context.put(SyslogSourceConfigurationConstants.CONFIG_PORTS,
         ports.toString().trim());
+    context.putAll(additionalContext.getParameters());
     source.configure(context);
     source.start();
 
-    Socket syslogSocket;
     for (int i = 0; i < numPorts; i++) {
-      syslogSocket = new Socket(
-          InetAddress.getLocalHost(), portList.get(i));
-      syslogSocket.getOutputStream().write(getEvent(i));
-      syslogSocket.close();
+      eventSenderFuncton.accept(portList.get(i), getEvent(i));
     }
 
     Transaction txn = channel.getTransaction();
@@ -151,7 +157,6 @@ public class TestMultiportSyslogTCPSource {
       txn.close();
     }
 
-
     return portList;
   }
 
@@ -166,9 +171,85 @@ public class TestMultiportSyslogTCPSource {
     int numPorts = 1000;
 
     List<Integer> portList = testNPorts(source, channel, channelEvents,
-        numPorts, null);
+        numPorts, null, getSimpleEventSender(), new Context());
 
     //Since events can arrive out of order, search for each event in the array
+    processEvents(channelEvents, numPorts, portList);
+    source.stop();
+  }
+
+  /**
+   * Basic test to exercise multiple-port parsing.
+   */
+  @Test
+  public void testMultiplePortsSSL() throws Exception {
+
+    SSLContext sslContext = SSLContext.getInstance("TLS");
+    sslContext.init(null, new TrustManager[]{new X509TrustManager() {
+        @Override
+        public void checkClientTrusted(X509Certificate[] certs, String s) {
+          // nothing
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] certs, String s) {
+          // nothing
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+          return new X509Certificate[0];
+        }
+      } },
+        null);
+
+    SocketFactory socketFactory = sslContext.getSocketFactory();
+
+    Context context = new Context();
+    context.put("ssl", "true");
+    context.put("keystore", "src/test/resources/server.p12");
+    context.put("keystore-password", "password");
+    context.put("keystore-type", "PKCS12");
+
+
+    MultiportSyslogTCPSource source = new MultiportSyslogTCPSource();
+    Channel channel = new MemoryChannel();
+    List<Event> channelEvents = new ArrayList<>();
+    int numPorts = 10;
+
+    List<Integer> portList = testNPorts(source, channel, channelEvents,
+        numPorts, null, getSSLEventSender(socketFactory), context);
+
+    //Since events can arrive out of order, search for each event in the array
+    processEvents(channelEvents, numPorts, portList);
+    source.stop();
+  }
+
+  private BiConsumer<Integer, byte[]> getSSLEventSender(SocketFactory socketFactory) {
+    return (port, event) -> {
+      try {
+        Socket syslogSocket = socketFactory.createSocket(InetAddress.getLocalHost(), port);
+        syslogSocket.getOutputStream().write(event);
+        syslogSocket.close();
+      } catch (Exception e) {
+        e.printStackTrace();
+      }
+    };
+  }
+
+  private BiConsumer<Integer, byte[]> getSimpleEventSender() {
+    return (Integer port, byte[] event) -> {
+      try {
+        Socket syslogSocket = new Socket(InetAddress.getLocalHost(), port);
+        syslogSocket.getOutputStream().write(event);
+        syslogSocket.close();
+      } catch (IOException e) {
+        e.printStackTrace();
+      }
+    };
+  }
+
+  private void processEvents(List<Event> channelEvents, int numPorts, List<Integer> portList) {
     for (int i = 0; i < numPorts ; i++) {
       Iterator<Event> iter = channelEvents.iterator();
       while (iter.hasNext()) {
@@ -179,7 +260,7 @@ public class TestMultiportSyslogTCPSource {
         if (headers.containsKey(
             SyslogSourceConfigurationConstants.DEFAULT_PORT_HEADER)) {
           port = Integer.parseInt(headers.get(
-                SyslogSourceConfigurationConstants.DEFAULT_PORT_HEADER));
+              SyslogSourceConfigurationConstants.DEFAULT_PORT_HEADER));
         }
         iter.remove();
 
@@ -196,7 +277,6 @@ public class TestMultiportSyslogTCPSource {
         }
       }
     }
-    source.stop();
   }
 
   /**
@@ -442,7 +522,8 @@ public class TestMultiportSyslogTCPSource {
     doThrow(new ChannelException("dummy")).doNothing().when(cp)
         .processEventBatch(anyListOf(Event.class));
     try {
-      testNPorts(source, channel, channelEvents, 1, cp);
+      testNPorts(source, channel, channelEvents, 1, cp,
+          getSimpleEventSender(), new Context());
     } catch (Exception e) {
       //
     }

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-core/src/test/java/org/apache/flume/source/TestSyslogTcpSource.java
----------------------------------------------------------------------
diff --git a/flume-ng-core/src/test/java/org/apache/flume/source/TestSyslogTcpSource.java b/flume-ng-core/src/test/java/org/apache/flume/source/TestSyslogTcpSource.java
index fbacdec..9398707 100644
--- a/flume-ng-core/src/test/java/org/apache/flume/source/TestSyslogTcpSource.java
+++ b/flume-ng-core/src/test/java/org/apache/flume/source/TestSyslogTcpSource.java
@@ -36,15 +36,22 @@ import org.mockito.Mockito;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
-import java.net.InetAddress;
+import java.io.OutputStream;
 import java.net.InetSocketAddress;
 import java.net.Socket;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 
+import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.doThrow;
 
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 public class TestSyslogTcpSource {
   private static final org.slf4j.Logger logger =
       LoggerFactory.getLogger(TestSyslogTcpSource.class);
@@ -63,6 +70,10 @@ public class TestSyslogTcpSource {
       data1 + "\n";
 
   private void init(String keepFields) {
+    init(keepFields, new Context());
+  }
+
+  private void init(String keepFields, Context context) {
     source = new SyslogTcpSource();
     channel = new MemoryChannel();
 
@@ -75,13 +86,22 @@ public class TestSyslogTcpSource {
     rcs.setChannels(channels);
 
     source.setChannelProcessor(new ChannelProcessor(rcs));
-    Context context = new Context();
     context.put("port", String.valueOf(TEST_SYSLOG_PORT));
     context.put("keepFields", keepFields);
 
     source.configure(context);
 
   }
+
+  private void initSsl() {
+    Context context = new Context();
+    context.put("ssl", "true");
+    context.put("keystore", "src/test/resources/server.p12");
+    context.put("keystore-password", "password");
+    context.put("keystore-type", "PKCS12");
+    init("none", context);
+  }
+
   /** Tests the keepFields configuration parameter (enabled or disabled)
    using SyslogTcpSource.*/
   private void runKeepFieldsTest(String keepFields) throws IOException {
@@ -161,8 +181,8 @@ public class TestSyslogTcpSource {
   @Test
   public void testSourceCounter() throws IOException {
     runKeepFieldsTest("all");
-    Assert.assertEquals(10, source.getSourceCounter().getEventAcceptedCount());
-    Assert.assertEquals(10, source.getSourceCounter().getEventReceivedCount());
+    assertEquals(10, source.getSourceCounter().getEventAcceptedCount());
+    assertEquals(10, source.getSourceCounter().getEventReceivedCount());
   }
 
   @Test
@@ -174,7 +194,7 @@ public class TestSyslogTcpSource {
     for (int i = 0; i < 10 && source.getSourceCounter().getChannelWriteFail() == 0; i++) {
       Thread.sleep(100);
     }
-    Assert.assertEquals(1, source.getSourceCounter().getChannelWriteFail());
+    assertEquals(1, source.getSourceCounter().getChannelWriteFail());
   }
 
   @Test
@@ -186,7 +206,7 @@ public class TestSyslogTcpSource {
     for (int i = 0; i < 10 && source.getSourceCounter().getEventReadFail() == 0; i++) {
       Thread.sleep(100);
     }
-    Assert.assertEquals(1, source.getSourceCounter().getEventReadFail());
+    assertEquals(1, source.getSourceCounter().getEventReadFail());
   }
 
   private void errorCounterCommon(Exception e) throws IOException {
@@ -202,5 +222,47 @@ public class TestSyslogTcpSource {
     }
   }
 
+  @Test
+  public void testSSLMessages() throws Exception {
+    initSsl();
+
+    source.start();
+    InetSocketAddress address = source.getBoundAddress();
+
+    SSLContext sslContext = SSLContext.getInstance("TLS");
+    sslContext.init(null, new TrustManager[]{new X509TrustManager() {
+        @Override
+        public void checkClientTrusted(X509Certificate[] certs, String s) {
+          // nothing
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] certs, String s) {
+          // nothing
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+          return new X509Certificate[0];
+        }
+      } },
+        null);
+    SocketFactory socketFactory = sslContext.getSocketFactory();
+    Socket socket = socketFactory.createSocket();
+    socket.connect(address);
+    OutputStream outputStream = socket.getOutputStream();
+    outputStream.write(bodyWithTandH.getBytes());
+    socket.close();
+   // Thread.sleep(100);
+    Transaction transaction = channel.getTransaction();
+    transaction.begin();
+
+    Event event = channel.take();
+    assertEquals(new String(event.getBody()), data1);
+    transaction.commit();
+    transaction.close();
+
+  }
+
 }
 

http://git-wip-us.apache.org/repos/asf/flume/blob/965e1326/flume-ng-doc/sphinx/FlumeUserGuide.rst
----------------------------------------------------------------------
diff --git a/flume-ng-doc/sphinx/FlumeUserGuide.rst b/flume-ng-doc/sphinx/FlumeUserGuide.rst
index 16adc79..9d163c7 100644
--- a/flume-ng-doc/sphinx/FlumeUserGuide.rst
+++ b/flume-ng-doc/sphinx/FlumeUserGuide.rst
@@ -755,19 +755,21 @@ SSL/TLS support
 Several Flume components support the SSL/TLS protocols in order to communicate with other systems
 securely.
 
-===============  ======================
-Component        SSL server or client
-===============  ======================
-Avro Source      server
-Avro Sink        client
-Thrift Source    server
-Thrift Sink      client
-Kafka Source     client
-Kafka Channel    client
-Kafka Sink       client
-HTTP Source      server
-JMS Source       client
-===============  ======================
+===========================  ======================
+Component                    SSL server or client
+===========================  ======================
+Avro Source                  server
+Avro Sink                    client
+Thrift Source                server
+Thrift Sink                  client
+Kafka Source                 client
+Kafka Channel                client
+Kafka Sink                   client
+HTTP Source                  server
+JMS Source                   client
+Syslog TCP Source            server
+Multiport Syslog TCP Source  server
+===========================  ======================
 
 The SSL compatible components have several configuration parameters to set up SSL, like
 enable SSL flag, keystore / truststore parameters (location, password, type) and additional
@@ -799,6 +801,12 @@ javax.net.ssl.keyStoreType          FLUME_SSL_KEYSTORE_TYPE          Keystore ty
 javax.net.ssl.trustStore            FLUME_SSL_TRUSTSTORE_PATH        Truststore location
 javax.net.ssl.trustStorePassword    FLUME_SSL_TRUSTSTORE_PASSWORD    Truststore password
 javax.net.ssl.trustStoreType        FLUME_SSL_TRUSTSTORE_TYPE        Truststore type (by default JKS)
+flume.ssl.include.protocols         FLUME_SSL_INCLUDE_PROTOCOLS      Protocols to include when calculating enabled protocols. A comma (,) separated list.
+                                                                     Excluded protocols will be excluded from this list if provided.
+flume.ssl.exclude.protocols         FLUME_SSL_EXCLUDE_PROTOCOLS      Protocols to exclude when calculating enabled protocols. A comma (,) separated list.
+flume.ssl.include.cipherSuites      FLUME_SSL_INCLUDE_CIPHERSUITES   Cipher suites to include when calculating enabled cipher suites. A comma (,) separated list.
+                                                                     Excluded cipher suites will be excluded from this list if provided.
+flume.ssl.exclude.cipherSuites      FLUME_SSL_EXCLUDE_CIPHERSUITES   Cipher suites to exclude when calculating enabled cipher suites. A comma (,) separated list.
 ==================================  ===============================  ==================================
 
 The SSL system properties can either be passed on the command line or by setting the ``JAVA_OPTS``
@@ -856,36 +864,44 @@ When paired with the built-in Avro Sink on another (previous hop) Flume agent,
 it can create tiered collection topologies.
 Required properties are in **bold**.
 
-==================   ================  ===================================================
-Property Name        Default           Description
-==================   ================  ===================================================
-**channels**         --
-**type**             --                The component type name, needs to be ``avro``
-**bind**             --                hostname or IP address to listen on
-**port**             --                Port # to bind to
-threads              --                Maximum number of worker threads to spawn
+===================   ================  ===================================================
+Property Name         Default           Description
+===================   ================  ===================================================
+**channels**          --
+**type**              --                The component type name, needs to be ``avro``
+**bind**              --                hostname or IP address to listen on
+**port**              --                Port # to bind to
+threads               --                Maximum number of worker threads to spawn
 selector.type
 selector.*
-interceptors         --                Space-separated list of interceptors
+interceptors          --                Space-separated list of interceptors
 interceptors.*
-compression-type     none              This can be "none" or "deflate".  The compression-type must match the compression-type of matching AvroSource
-ssl                  false             Set this to true to enable SSL encryption. If SSL is enabled,
-                                       you must also specify a "keystore" and a "keystore-password",
-                                       either through component level parameters (see below)
-                                       or as global SSL parameters (see `SSL/TLS support`_ section).
-keystore             --                This is the path to a Java keystore file.
-                                       If not specified here, then the global keystore will be used
-                                       (if defined, otherwise configuration error).
-keystore-password    --                The password for the Java keystore.
-                                       If not specified here, then the global keystore password will be used
-                                       (if defined, otherwise configuration error).
-keystore-type        JKS               The type of the Java keystore. This can be "JKS" or "PKCS12".
-                                       If not specified here, then the global keystore type will be used
-                                       (if defined, otherwise the default is JKS).
-exclude-protocols    SSLv3             Space-separated list of SSL/TLS protocols to exclude. SSLv3 will always be excluded in addition to the protocols specified.
-ipFilter             false             Set this to true to enable ipFiltering for netty
-ipFilterRules        --                Define N netty ipFilter pattern rules with this config.
-==================   ================  ===================================================
+compression-type      none              This can be "none" or "deflate".  The compression-type must match the compression-type of matching AvroSource
+ssl                   false             Set this to true to enable SSL encryption. If SSL is enabled,
+                                        you must also specify a "keystore" and a "keystore-password",
+                                        either through component level parameters (see below)
+                                        or as global SSL parameters (see `SSL/TLS support`_ section).
+keystore              --                This is the path to a Java keystore file.
+                                        If not specified here, then the global keystore will be used
+                                        (if defined, otherwise configuration error).
+keystore-password     --                The password for the Java keystore.
+                                        If not specified here, then the global keystore password will be used
+                                        (if defined, otherwise configuration error).
+keystore-type         JKS               The type of the Java keystore. This can be "JKS" or "PKCS12".
+                                        If not specified here, then the global keystore type will be used
+                                        (if defined, otherwise the default is JKS).
+exclude-protocols     SSLv3             Space-separated list of SSL/TLS protocols to exclude.
+                                        SSLv3 will always be excluded in addition to the protocols specified.
+include-protocols     --                Space-separated list of SSL/TLS protocols to include.
+                                        The enabled protocols will be the included protocols without the excluded protocols.
+                                        If included-protocols is empty, it includes every supported protocols.
+exclude-cipher-suites --                Space-separated list of cipher suites to exclude.
+include-cipher-suites --                Space-separated list of cipher suites to include.
+                                        The enabled cipher suites will be the included cipher suites without the excluded cipher suites.
+                                        If included-cipher-suites is empty, it includes every supported cipher suites.
+ipFilter              false             Set this to true to enable ipFiltering for netty
+ipFilterRules         --                Define N netty ipFilter pattern rules with this config.
+==================    ================  ===================================================
 
 Example for agent named a1:
 
@@ -924,36 +940,44 @@ agent-principal and agent-keytab are the properties used by the
 Thrift source to authenticate to the kerberos KDC.
 Required properties are in **bold**.
 
-==================   ===========  ==================================================================
-Property Name        Default      Description
-==================   ===========  ==================================================================
-**channels**         --
-**type**             --           The component type name, needs to be ``thrift``
-**bind**             --           hostname or IP address to listen on
-**port**             --           Port # to bind to
-threads              --           Maximum number of worker threads to spawn
+===================   ===========  ==================================================================
+Property Name         Default      Description
+===================   ===========  ==================================================================
+**channels**          --
+**type**              --           The component type name, needs to be ``thrift``
+**bind**              --           hostname or IP address to listen on
+**port**              --           Port # to bind to
+threads               --           Maximum number of worker threads to spawn
 selector.type
 selector.*
-interceptors         --           Space separated list of interceptors
+interceptors          --           Space separated list of interceptors
 interceptors.*
-ssl                  false        Set this to true to enable SSL encryption. If SSL is enabled,
-                                  you must also specify a "keystore" and a "keystore-password",
-                                  either through component level parameters (see below)
-                                  or as global SSL parameters (see `SSL/TLS support`_ section)
-keystore             --           This is the path to a Java keystore file.
-                                  If not specified here, then the global keystore will be used
-                                  (if defined, otherwise configuration error).
-keystore-password    --           The password for the Java keystore.
-                                  If not specified here, then the global keystore password will be used
-                                  (if defined, otherwise configuration error).
-keystore-type        JKS          The type of the Java keystore. This can be "JKS" or "PKCS12".
-                                  If not specified here, then the global keystore type will be used
-                                  (if defined, otherwise the default is JKS).
-exclude-protocols    SSLv3        Space-separated list of SSL/TLS protocols to exclude. SSLv3 will always be excluded in addition to the protocols specified.
-kerberos             false        Set to true to enable kerberos authentication. In kerberos mode, agent-principal and agent-keytab  are required for successful authentication. The Thrift source in secure mode, will accept connections only from Thrift clients that have kerberos enabled and are successfully authenticated to the kerberos KDC.
-agent-principal      --           The kerberos principal used by the Thrift Source to authenticate to the kerberos KDC.
-agent-keytab         —-           The keytab location used by the Thrift Source in combination with the agent-principal to authenticate to the kerberos KDC.
-==================   ===========  ==================================================================
+ssl                   false        Set this to true to enable SSL encryption. If SSL is enabled,
+                                   you must also specify a "keystore" and a "keystore-password",
+                                   either through component level parameters (see below)
+                                   or as global SSL parameters (see `SSL/TLS support`_ section)
+keystore              --           This is the path to a Java keystore file.
+                                   If not specified here, then the global keystore will be used
+                                   (if defined, otherwise configuration error).
+keystore-password     --           The password for the Java keystore.
+                                   If not specified here, then the global keystore password will be used
+                                   (if defined, otherwise configuration error).
+keystore-type         JKS          The type of the Java keystore. This can be "JKS" or "PKCS12".
+                                   If not specified here, then the global keystore type will be used
+                                   (if defined, otherwise the default is JKS).
+exclude-protocols     SSLv3        Space-separated list of SSL/TLS protocols to exclude.
+                                   SSLv3 will always be excluded in addition to the protocols specified.
+include-protocols     --           Space-separated list of SSL/TLS protocols to include.
+                                   The enabled protocols will be the included protocols without the excluded protocols.
+                                   If included-protocols is empty, it includes every supported protocols.
+exclude-cipher-suites --           Space-separated list of cipher suites to exclude.
+include-cipher-suites --           Space-separated list of cipher suites to include.
+                                   The enabled cipher suites will be the included cipher suites without the excluded cipher suites.
+
+kerberos              false        Set to true to enable kerberos authentication. In kerberos mode, agent-principal and agent-keytab  are required for successful authentication. The Thrift source in secure mode, will accept connections only from Thrift clients that have kerberos enabled and are successfully authenticated to the kerberos KDC.
+agent-principal       --           The kerberos principal used by the Thrift Source to authenticate to the kerberos KDC.
+agent-keytab          —-           The keytab location used by the Thrift Source in combination with the agent-principal to authenticate to the kerberos KDC.
+===================   ===========  ==================================================================
 
 Example for agent named a1:
 
@@ -1770,26 +1794,48 @@ Syslog TCP Source
 
 The original, tried-and-true syslog TCP source.
 
-==============   ===========  ==============================================
-Property Name    Default      Description
-==============   ===========  ==============================================
-**channels**     --
-**type**         --           The component type name, needs to be ``syslogtcp``
-**host**         --           Host name or IP address to bind to
-**port**         --           Port # to bind to
-eventSize        2500         Maximum size of a single event line, in bytes
-keepFields       none         Setting this to 'all' will preserve the Priority,
-                              Timestamp and Hostname in the body of the event.
-                              A spaced separated list of fields to include
-                              is allowed as well. Currently, the following
-                              fields can be included: priority, version,
-                              timestamp, hostname. The values 'true' and 'false'
-                              have been deprecated in favor of 'all' and 'none'.
-selector.type                 replicating or multiplexing
-selector.*       replicating  Depends on the selector.type value
-interceptors     --           Space-separated list of interceptors
+===================   ===========  ==============================================
+Property Name         Default      Description
+===================   ===========  ==============================================
+**channels**          --
+**type**              --           The component type name, needs to be ``syslogtcp``
+**host**              --           Host name or IP address to bind to
+**port**              --           Port # to bind to
+eventSize             2500         Maximum size of a single event line, in bytes
+keepFields            none         Setting this to 'all' will preserve the Priority,
+                                   Timestamp and Hostname in the body of the event.
+                                   A spaced separated list of fields to include
+                                   is allowed as well. Currently, the following
+                                   fields can be included: priority, version,
+                                   timestamp, hostname. The values 'true' and 'false'
+                                   have been deprecated in favor of 'all' and 'none'.
+selector.type                      replicating or multiplexing
+selector.*            replicating  Depends on the selector.type value
+interceptors          --           Space-separated list of interceptors
 interceptors.*
-==============   ===========  ==============================================
+ssl                   false        Set this to true to enable SSL encryption. If SSL is enabled,
+                                   you must also specify a "keystore" and a "keystore-password",
+                                   either through component level parameters (see below)
+                                   or as global SSL parameters (see `SSL/TLS support`_ section).
+keystore              --           This is the path to a Java keystore file.
+                                   If not specified here, then the global keystore will be used
+                                   (if defined, otherwise configuration error).
+keystore-password     --           The password for the Java keystore.
+                                   If not specified here, then the global keystore password will be used
+                                   (if defined, otherwise configuration error).
+keystore-type         JKS          The type of the Java keystore. This can be "JKS" or "PKCS12".
+                                   If not specified here, then the global keystore type will be used
+                                   (if defined, otherwise the default is JKS).
+exclude-protocols     SSLv3        Space-separated list of SSL/TLS protocols to exclude.
+                                   SSLv3 will always be excluded in addition to the protocols specified.
+include-protocols     --           Space-separated list of SSL/TLS protocols to include.
+                                   The enabled protocols will be the included protocols without the excluded protocols.
+                                   If included-protocols is empty, it includes every supported protocols.
+exclude-cipher-suites --           Space-separated list of cipher suites to exclude.
+include-cipher-suites --           Space-separated list of cipher suites to include.
+                                   The enabled cipher suites will be the included cipher suites without the excluded cipher suites.
+                                   If included-cipher-suites is empty, it includes every supported cipher suites.
+===================   ===========  ==============================================
 
 For example, a syslog TCP source for agent named a1:
 
@@ -1838,6 +1884,28 @@ selector.type         replicating       replicating, multiplexing, or custom
 selector.*            --                Depends on the ``selector.type`` value
 interceptors          --                Space-separated list of interceptors.
 interceptors.*
+ssl                   false             Set this to true to enable SSL encryption. If SSL is enabled,
+                                        you must also specify a "keystore" and a "keystore-password",
+                                        either through component level parameters (see below)
+                                        or as global SSL parameters (see `SSL/TLS support`_ section).
+keystore              --                This is the path to a Java keystore file.
+                                        If not specified here, then the global keystore will be used
+                                        (if defined, otherwise configuration error).
+keystore-password     --                The password for the Java keystore.
+                                        If not specified here, then the global keystore password will be used
+                                        (if defined, otherwise configuration error).
+keystore-type         JKS               The type of the Java keystore. This can be "JKS" or "PKCS12".
+                                        If not specified here, then the global keystore type will be used
+                                        (if defined, otherwise the default is JKS).
+exclude-protocols     SSLv3             Space-separated list of SSL/TLS protocols to exclude.
+                                        SSLv3 will always be excluded in addition to the protocols specified.
+include-protocols     --                Space-separated list of SSL/TLS protocols to include.
+                                        The enabled protocols will be the included protocols without the excluded protocols.
+                                        If included-protocols is empty, it includes every supported protocols.
+exclude-cipher-suites --                Space-separated list of cipher suites to exclude.
+include-cipher-suites --                Space-separated list of cipher suites to include.
+                                        The enabled cipher suites will be the included cipher suites without the excluded cipher suites.
+                                        If included-cipher-suites is empty, it includes every supported cipher suites.
 ====================  ================  ==============================================
 
 For example, a multiport syslog TCP source for agent named a1:
@@ -1913,24 +1981,42 @@ selector.type         replicating                                   replicating
 selector.*                                                          Depends on the selector.type value
 interceptors          --                                            Space-separated list of interceptors
 interceptors.*
-enableSSL             false                                         Set the property true, to enable SSL. *HTTP Source does not support SSLv3.*
-excludeProtocols      SSLv3                                         Space-separated list of SSL/TLS protocols to exclude. SSLv3 is always excluded.
+ssl                   false                                         Set the property true, to enable SSL. *HTTP Source does not support SSLv3.*
+exclude-protocols     SSLv3                                         Space-separated list of SSL/TLS protocols to exclude.
+                                                                    SSLv3 will always be excluded in addition to the protocols specified.
+include-protocols     --                                            Space-separated list of SSL/TLS protocols to include.
+                                                                    The enabled protocols will be the included protocols without the excluded protocols.
+                                                                    If included-protocols is empty, it includes every supported protocols.
+exclude-cipher-suites --                                            Space-separated list of cipher suites to exclude.
+include-cipher-suites --                                            Space-separated list of cipher suites to include.
+                                                                    The enabled cipher suites will be the included cipher suites without the excluded cipher suites.
 keystore                                                            Location of the keystore including keystore file name.
                                                                     If SSL is enabled but the keystore is not specified here,
                                                                     then the global keystore will be used
                                                                     (if defined, otherwise configuration error).
-keystorePassword                                                    Keystore password.
+keystore-password                                                   Keystore password.
                                                                     If SSL is enabled but the keystore password is not specified here,
                                                                     then the global keystore password will be used
                                                                     (if defined, otherwise configuration error).
+keystore-type         JKS                                           Keystore type. This can be "JKS" or "PKCS12".
 QueuedThreadPool.*                                                  Jetty specific settings to be set on org.eclipse.jetty.util.thread.QueuedThreadPool.
                                                                     N.B. QueuedThreadPool will only be used if at least one property of this class is set.
 HttpConfiguration.*                                                 Jetty specific settings to be set on org.eclipse.jetty.server.HttpConfiguration
 SslContextFactory.*                                                 Jetty specific settings to be set on org.eclipse.jetty.util.ssl.SslContextFactory (only
-                                                                    applicable when *enableSSL* is set to true).
+                                                                    applicable when *ssl* is set to true).
 ServerConnector.*                                                   Jetty specific settings to be set on org.eclipse.jetty.server.ServerConnector
 =========================================================================================================================================================
 
+Deprecated Properties
+
+===============================  ===================  =============================================================================================
+Property Name                    Default              Description
+===============================  ===================  =============================================================================================
+keystorePassword                 --                   Use *keystore-password*. Deprecated value will be overwritten with the new one.
+excludeProtocols                 SSLv3                Use *exclude-protocols*. Deprecated value will be overwritten with the new one.
+enableSSL                        false                Use *ssl*. Deprecated value will be overwritten with the new one.
+===============================  ===================  =============================================================================================
+
 N.B. Jetty-specific settings are set using the setter-methods on the objects listed above. For full details see the Javadoc for these classes
 (`QueuedThreadPool <http://www.eclipse.org/jetty/javadoc/9.4.6.v20170531/org/eclipse/jetty/util/thread/QueuedThreadPool.html>`_,
 `HttpConfiguration <http://www.eclipse.org/jetty/javadoc/9.4.6.v20170531/org/eclipse/jetty/server/HttpConfiguration.html>`_,


Mime
View raw message