Return-Path: <dev-return-57595-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 9FB42200C38
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 15 Mar 2017 19:14:52 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 9E3D9160B60; Wed, 15 Mar 2017 18:14:52 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id B30B2160B78
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 15 Mar 2017 19:14:51 +0100 (CET)
Received: (qmail 2752 invoked by uid 500); 15 Mar 2017 18:14:50 -0000
Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:dev@zookeeper.apache.org>
List-Id: <dev.zookeeper.apache.org>
Reply-To: dev@zookeeper.apache.org
Delivered-To: mailing list dev@zookeeper.apache.org
Received: (qmail 2739 invoked by uid 99); 15 Mar 2017 18:14:50 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Mar 2017 18:14:50 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 3EE0DC0840
	for <dev@zookeeper.apache.org>; Wed, 15 Mar 2017 18:14:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.451
X-Spam-Level: *
X-Spam-Status: No, score=1.451 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_NEUTRAL=0.652] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id 6o2pOMtarRBK for <dev@zookeeper.apache.org>;
	Wed, 15 Mar 2017 18:14:49 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id D033C5FCD1
	for <dev@zookeeper.apache.org>; Wed, 15 Mar 2017 18:14:48 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 481C7E0B4A
	for <dev@zookeeper.apache.org>; Wed, 15 Mar 2017 18:14:43 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 50D99243D2
	for <dev@zookeeper.apache.org>; Wed, 15 Mar 2017 18:14:42 +0000 (UTC)
Date: Wed, 15 Mar 2017 18:14:42 +0000 (UTC)
From: "Abraham Fine (JIRA)" <jira@apache.org>
To: dev@zookeeper.apache.org
Message-ID: <JIRA.12409148.1227561459000.29469.1489601682329@Atlassian.JIRA>
In-Reply-To: <JIRA.12409148.1227561459000@Atlassian.JIRA>
References: <JIRA.12409148.1227561459000@Atlassian.JIRA> <JIRA.12409148.1227561459207@jira-lw-us.apache.org>
Subject: [jira] [Comment Edited] (ZOOKEEPER-236) SSL Support for Atomic
 Broadcast protocol
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 15 Mar 2017 18:14:52 -0000


    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15926674#comment-15926674 ] 

Abraham Fine edited comment on ZOOKEEPER-236 at 3/15/17 6:14 PM:
-----------------------------------------------------------------

[~geek101]-

bq. One way to go is to minimize changes to Leader.java, Follower.java, Learner.java etc
I agree. That will make understanding those classes much easier

bq.  I do not think it mentions this should be not be done at cert verification time nor should we allow exchange of application bits when the certificate is not what we expected it to be.
So the issue is more zookeeper specific I think. Imagine the case where, and I know this is very contrived but I think the principal is valid, we have 3 zk servers all running on the same host with different ports. We have 3 dns records pointing to this machine with different names, say zk1, zk2, and zk3. Each zkX has a certificate with the zkX common name. Our zookeeper configuration identifies these servers by the correct name server.1=zk1... When one of these servers connects to the server socket on the other I do not think it is possible for the "server" to tell which zkX connected until the sid is read from the socket unless we want to start doing reverse dns lookups. I would rather just use the hostname we already know about. That is why I think we cannot do hostname verification in the trust manager.Please let me know if I am missing something.

bq. I am fine with either OSCP or CRL verification as long as the admin is aware of how this affects the latency of session setup and reliability of the Quorum since they are all perhaps talking to one entity(hopefully not) for this to work.
I agree. We need to document this drawbacks clearly.

bq. Also I noticed the ZOOKEEPER-2184 could be addressed by some of my plumbing changes that pass the configured hostname around along with the resolved ip address. 
There is an active PR for this so I don't think we need to address it in this patch.

bq. It is best to combine the PRs into one so we can collaborate and increase the velocity.
I agree.

bq.  I would like to suggest that we use X509ExtendedTrustManager
If the concerns I listed above with hostname verification can be addressed I would be open to this.

bq. I would like to keep the BC helper code
What do you mean by bc helper code?

bq.  I lean towards just changing Socket() calls to something else but not adding any more code to Leader.java, Follower.java, Learner.java etc.
Sounds like a good idea. Once we get the implementation details flushed out there will be plenty of refactoring to clean this stuff up.

Thanks,
Abe





was (Author: abrahamfine):
[~geek101]-

bq. One way to go is to minimize changes to Leader.java, Follower.java, Learner.java etc
I agree. That will make understanding those classes much easier

bq.  I do not think it mentions this should be not be done at cert verification time nor should we allow exchange of application bits when the certificate is not what we expected it to be.
So the issue is more zookeeper specific I think. Imagine the case where, and I know this is very contrived but I think the principal is valid, we have 3 zk servers all running on the same host with different ports. We have 3 dns records pointing to this machine with different names, say zk1, zk2, and zk3. Each zkX has a certificate with the zkX common name. Our zookeeper configuration identifies these servers by the correct name server.1=zk1... When one of these servers connects to the server socket on the other I do not think it is possible for the "server" to tell which zkX connected until the sid is read from the socket. That is why I think we cannot do hostname verification in the trust manager.

bq. I am fine with either OSCP or CRL verification as long as the admin is aware of how this affects the latency of session setup and reliability of the Quorum since they are all perhaps talking to one entity(hopefully not) for this to work.
I agree. We need to document this drawbacks clearly.

bq. Also I noticed the ZOOKEEPER-2184 could be addressed by some of my plumbing changes that pass the configured hostname around along with the resolved ip address. 
There is an active PR for this so I don't think we need to address it in this patch.

bq. It is best to combine the PRs into one so we can collaborate and increase the velocity.
I agree.

bq.  I would like to suggest that we use X509ExtendedTrustManager
If the concerns I listed above with hostname verification can be addressed I would be open to this.

bq. I would like to keep the BC helper code
What do you mean by bc helper code?

bq.  I lean towards just changing Socket() calls to something else but not adding any more code to Leader.java, Follower.java, Learner.java etc.
Sounds like a good idea. Once we get the implementation details flushed out there will be plenty of refactoring to clean this stuff up.

Thanks,
Abe




> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between ZooKeeper servers. For the most part this is a very easy change. We would probably only want to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)