zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Mon, 01 May 2017 19:20:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991346#comment-15991346
] 

ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------

Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r114181665
  
    --- Diff: src/java/main/org/apache/zookeeper/server/quorum/Learner.java ---
    @@ -254,6 +260,9 @@ protected void connectToLeader(InetSocketAddress addr)
                     }
     
                     sockConnect(sock, addr, Math.min(self.tickTime * self.syncLimit, remainingInitLimitTime));
    +                if (self.isSslQuorum())  {
    +                    ((SSLSocket) sock).startHandshake();
    +                }
                     sock.setTcpNoDelay(nodelay);
                     break;
                 } catch (IOException e) {
    --- End diff --
    
    > if we know the SSL cert is invalid there is no point retrying
    
    Not sure I agree. I can imagine cases where the certificate revocation system is down
and comes up at a later point in time.
    
    >it's possible that what finally gets logged does not reflect the cause of the failure
due to how these exceptions are handled 
    
    We seem to be logging pretty reasonably here: https://github.com/apache/zookeeper/blob/branch-3.5/src/java/main/org/apache/zookeeper/server/quorum/Follower.java#L95
    
    In addition, there is some JVM system properties for ssl logging that we can document
to make sure certificate issues are as clear as possible.
    
    



> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, security, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>              Labels: ssl
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message