zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abraham Fine (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Fri, 17 Mar 2017 22:20:41 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15930825#comment-15930825
] 

Abraham Fine edited comment on ZOOKEEPER-236 at 3/17/17 10:20 PM:
------------------------------------------------------------------

Hi [~geek101]-

bq. Regarding host verification one other way to go is to follow this: X509ExtendedTrustManager
mentions about where to plugin host verification , it specifically quotes:
Let me know if this is what you had in mind. We do not need to subclass `X509ExtendedTrustManager`
ourselves to get this to work, since the `X509TrustManagerImpl` object generated by the PKIX
trustmanager factory (and x509 as well I think) extends `X509ExtendedTrustManager` already.
 If endpoint verification is set on the sslParameters of the sslSocket we get endpoint verification
for free in `X509ExtendedTrustManager`. The issue is that we are limited to the built in implementations
of endpoint verification but I think the "https" algorithm is sufficient for our use case.

I implemented this here: https://github.com/apache/zookeeper/pull/184/commits/bebe09660f652f243e746905460ecbdffe2d155e


was (Author: abrahamfine):
Hi [~geek101]-

bq. Regarding host verification one other way to go is to follow this: X509ExtendedTrustManager
mentions about where to plugin host verification , it specifically quotes:
Let me know if this is what you had in mind. We do not need to subclass `X509ExtendedTrustManager`
ourselves to get this to work, since the `X509TrustManagerImpl` object generated by the PKIX
trustmanager factory (and x509 as well I think) extends `X509ExtendedTrustManager` already.
 If endpoint verification is set on the sslParameters of the sslSocket we get endpoint verification
for free in `X509ExtendedTrustManager`. The issue is that we are limited to the built in implementations
of endpoint verification but I think the "https" algorithm is sufficient for our use case.
 

> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message