zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Mon, 01 May 2017 18:03:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991198#comment-15991198
] 

ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------

Github user hanm commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r114166502
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -160,43 +213,120 @@ public static X509KeyManager createKeyManager(String keyStoreLocation,
String ke
                 }
                 throw new KeyManagerException("Couldn't find X509KeyManager");
     
    -        } catch (Exception e) {
    -            throw new KeyManagerException(e);
    +        } catch (IOException|CertificateException|UnrecoverableKeyException|NoSuchAlgorithmException|KeyStoreException
    +                keyManagerCreationException) {
    +            throw new KeyManagerException(keyManagerCreationException);
             } finally {
                 if (inputStream != null) {
                     try {
                         inputStream.close();
    -                } catch (IOException e) {}
    +                } catch (IOException ioException) {
    +                    LOG.info("Failed to close key store input stream", ioException);
    +                }
                 }
             }
         }
     
    -    public static X509TrustManager createTrustManager(String trustStoreLocation, String
trustStorePassword)
    +    public static X509TrustManager createTrustManager(String trustStoreLocation, String
trustStorePassword,
    +                                                      boolean crlEnabled, boolean ocspEnabled,
    +                                                      final boolean hostnameVerificationEnabled,
    +                                                      final boolean shouldVerifyClientHostname)
                 throws TrustManagerException {
             FileInputStream inputStream = null;
             try {
    -            char[] trustStorePasswordChars = trustStorePassword.toCharArray();
                 File trustStoreFile = new File(trustStoreLocation);
                 KeyStore ts = KeyStore.getInstance("JKS");
                 inputStream = new FileInputStream(trustStoreFile);
    -            ts.load(inputStream, trustStorePasswordChars);
    -            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
    -            tmf.init(ts);
    +            if (trustStorePassword != null) {
    +                char[] trustStorePasswordChars = trustStorePassword.toCharArray();
    +                ts.load(inputStream, trustStorePasswordChars);
    +            } else {
    +                ts.load(inputStream, null);
    +            }
     
    -            for (TrustManager tm : tmf.getTrustManagers()) {
    -                if (tm instanceof X509TrustManager) {
    -                    return (X509TrustManager) tm;
    +            PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
    +            if (crlEnabled || ocspEnabled) {
    +                pbParams.setRevocationEnabled(true);
    +                System.setProperty("com.sun.net.ssl.checkRevocation", "true");
    +                System.setProperty("com.sun.security.enableCRLDP", "true");
    +                if (ocspEnabled) {
    +                    Security.setProperty("ocsp.enable", "true");
    +                }
    +
    +            } else {
    +                pbParams.setRevocationEnabled(false);
    +            }
    +
    +            // Revocation checking is only supported with the PKIX algorithm
    +            TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
    +            tmf.init(new CertPathTrustManagerParameters(pbParams));
    +
    +            for (final TrustManager tm : tmf.getTrustManagers()) {
    +                if (tm instanceof X509ExtendedTrustManager) {
    +                    return new ZKTrustManager((X509ExtendedTrustManager) tm, hostnameVerificationEnabled,
shouldVerifyClientHostname);
                     }
                 }
                 throw new TrustManagerException("Couldn't find X509TrustManager");
    -        } catch (Exception e) {
    -            throw new TrustManagerException(e);
    +        } catch (IOException|CertificateException|NoSuchAlgorithmException|InvalidAlgorithmParameterException|KeyStoreException
    +                 trustManagerCreationException) {
    +            throw new TrustManagerException(trustManagerCreationException);
             } finally {
                 if (inputStream != null) {
                     try {
                         inputStream.close();
    -                } catch (IOException e) {}
    +                } catch (IOException ioException) {
    +                    LOG.info("failed to close TrustStore input stream", ioException);
    +                }
                 }
             }
         }
    -}
    \ No newline at end of file
    +
    +    public SSLSocket createSSLSocket() throws X509Exception, IOException {
    +        SSLSocket sslSocket = (SSLSocket) getDefaultSSLContext().getSocketFactory().createSocket();
    +        configureSSLSocket(sslSocket);
    +
    +        return sslSocket;
    +    }
    +
    +    public SSLSocket createSSLSocket(Socket socket) throws X509Exception, IOException
{
    +        SSLSocket sslSocket = (SSLSocket) getDefaultSSLContext().getSocketFactory().createSocket(socket,
null, socket.getPort(), true);
    +        configureSSLSocket(sslSocket);
    +
    +        return sslSocket;
    +    }
    +
    +    private void configureSSLSocket(SSLSocket sslSocket) {
    +        SSLParameters sslParameters = sslSocket.getSSLParameters();
    +        sslParameters.setNeedClientAuth(true);
    --- End diff --
    
    Just curious, does setNeedClientAuth apply to client socket (as opposed to server socket)?


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, security, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>              Labels: ssl
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message