zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anmolnar <...@git.apache.org>
Subject [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...
Date Thu, 14 Jun 2018 16:05:01 GMT
Github user anmolnar commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r195481800
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -18,64 +18,119 @@
     package org.apache.zookeeper.common;
     
     
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.net.ssl.CertPathTrustManagerParameters;
     import javax.net.ssl.KeyManager;
     import javax.net.ssl.KeyManagerFactory;
     import javax.net.ssl.SSLContext;
    +import javax.net.ssl.SSLParameters;
    +import javax.net.ssl.SSLServerSocket;
    +import javax.net.ssl.SSLSocket;
     import javax.net.ssl.TrustManager;
     import javax.net.ssl.TrustManagerFactory;
    +import javax.net.ssl.X509ExtendedTrustManager;
     import javax.net.ssl.X509KeyManager;
     import javax.net.ssl.X509TrustManager;
     import java.io.File;
     import java.io.FileInputStream;
     import java.io.IOException;
    +import java.net.Socket;
    +import java.security.InvalidAlgorithmParameterException;
    +import java.security.KeyManagementException;
     import java.security.KeyStore;
    +import java.security.KeyStoreException;
    +import java.security.NoSuchAlgorithmException;
    +import java.security.Security;
    +import java.security.UnrecoverableKeyException;
    +import java.security.cert.CertificateException;
    +import java.security.cert.PKIXBuilderParameters;
    +import java.security.cert.X509CertSelector;
    +import java.util.Arrays;
     
    -import org.slf4j.Logger;
    -import org.slf4j.LoggerFactory;
    -
    -import static org.apache.zookeeper.common.X509Exception.KeyManagerException;
    -import static org.apache.zookeeper.common.X509Exception.SSLContextException;
    -import static org.apache.zookeeper.common.X509Exception.TrustManagerException;
    +import org.apache.zookeeper.common.X509Exception.KeyManagerException;
    +import org.apache.zookeeper.common.X509Exception.SSLContextException;
    +import org.apache.zookeeper.common.X509Exception.TrustManagerException;
     
     /**
      * Utility code for X509 handling
      */
    -public class X509Util {
    +public abstract class X509Util {
         private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
     
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_LOCATION}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_KEYSTORE_LOCATION = "zookeeper.ssl.keyStore.location";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_PASSWD}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_KEYSTORE_PASSWD = "zookeeper.ssl.keyStore.password";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_LOCATION}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_TRUSTSTORE_LOCATION = "zookeeper.ssl.trustStore.location";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_PASSWD}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_TRUSTSTORE_PASSWD = "zookeeper.ssl.trustStore.password";
    -    /**
    -     * @deprecated Use {@link ZKConfig#SSL_AUTHPROVIDER}
    -     *             instead.
    -     */
    -    @Deprecated
    -    public static final String SSL_AUTHPROVIDER = "zookeeper.ssl.authProvider";
    -
    -    public static SSLContext createSSLContext() throws SSLContextException {
    -        /**
    +    static final String DEFAULT_PROTOCOL = "TLSv1.2";
    +
    +    private String sslProtocolProperty = getConfigPrefix() + "protocol";
    +    private String cipherSuitesProperty = getConfigPrefix() + "ciphersuites";
    +    private String sslKeystoreLocationProperty = getConfigPrefix() + "keyStore.location";
    +    private String sslKeystorePasswdProperty = getConfigPrefix() + "keyStore.password";
    +    private String sslTruststoreLocationProperty = getConfigPrefix() + "trustStore.location";
    +    private String sslTruststorePasswdProperty = getConfigPrefix() + "trustStore.password";
    +    private String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification";
    +    private String sslCrlEnabledProperty = getConfigPrefix() + "crl";
    +    private String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
    +
    +    private String[] cipherSuites;
    --- End diff --
    
    Java-specific default cipher suites has been added. I still need to work on protocol restrictions.
Do you know what's the correlation between the default protocol set here:
    ```java
    String protocol = System.getProperty(sslProtocolProperty, DEFAULT_PROTOCOL);
    try {
        SSLContext sslContext = SSLContext.getInstance(protocol);
        sslContext.init(keyManagers, trustManagers, null);
    ```
    and "enabled protocols" which can be set similar to cipher suites:
    ```java
    sslParameters.setCipherSuites(cipherSuites);
    sslParameters.setProtocols(new String[] { "TLS", "SSLv3" ... });
    ```
    Currently, default protocol is configurable. I'm wondering whether it makes sense to add
new config property for enabled protocols?


---

Mime
View raw message