zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abraham Fine (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Tue, 14 Mar 2017 05:13:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15923591#comment-15923591

Abraham Fine commented on ZOOKEEPER-236:

Hi [~geek101]-

bq. Need for separate SSL config for client to server and quorum peer to quorum peer. Changes
to X509Util and ZKConfig are for this.
Totally agree.

bq. Need for Hostname verification and CRL lists at-least for quorum peer to quorum peer SSL
would mean that we will need X509ExtendedTrustManager hence the reason for ZKX509TrustManager
class and its helpers.
I'm not sure I agree with this one. I uploaded a new commit on my pr showing that hostname
verification can be implemented outside of the trust manager (since hostname verification
is not part of ssl). I think that is easier this way because we often do not know which zookeeper
sid is connecting until some information is transferred. In addition, I thought CRL is implemented
completely outside of application logic (see: http://stackoverflow.com/questions/8506661/check-x509-certificate-revocation-status-in-spring-security-before-authenticatin/8507905#8507905),
I could be very wrong though. Still need to test this.

bq. Hostname verification will need hostname to be supplied at SSLEngine creation time if
reverse DNS lookup is not desired. I do not have this either.
For client <-> server I think this is true. We could move this into another patch as
this is outside that would be outside the scope of the JIRA.

Please take a look at my latest changes and let me know what you think. I still have not implemented
separating the client and server configurations. That should be coming soon.


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.

This message was sent by Atlassian JIRA

View raw message