zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ivmaykov <...@git.apache.org>
Subject [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...
Date Fri, 28 Sep 2018 20:15:52 GMT
Github user ivmaykov commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r221368066
  
    --- Diff: src/java/main/org/apache/zookeeper/common/ZKTrustManager.java ---
    @@ -0,0 +1,151 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.zookeeper.common;
    +
    +import org.apache.http.conn.ssl.DefaultHostnameVerifier;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.net.ssl.SSLEngine;
    +import javax.net.ssl.SSLException;
    +import javax.net.ssl.X509ExtendedTrustManager;
    +import java.net.InetAddress;
    +import java.net.Socket;
    +import java.net.UnknownHostException;
    +import java.security.cert.CertificateException;
    +import java.security.cert.X509Certificate;
    +
    +/**
    + * A custom TrustManager that supports hostname verification via org.apache.http.conn.ssl.DefaultHostnameVerifier.
    + *
    + * We attempt to perform verification using just the IP address first and if that fails
will attempt to perform a
    + * reverse DNS lookup and verify using the hostname.
    + */
    +public class ZKTrustManager extends X509ExtendedTrustManager {
    --- End diff --
    
    replace the entire contents of this file with the same file from #627. It's the same code,
but the `org.apache.http.conn.ssl.DefaultHostnameVerifier` class is copied into the file as
a private inner class and renamed to `ZKHostnameVerifier`. Two other apache utility classes
from httpclient (`SubjectName` and `InetAddressUtils`) are also copied in.
    
    This resolved a >10% perf regression in our internal testing at FB. We don't actually
know why including httpclient caused such a large perf regression (and strangely, the regression
was present even with SSL configs disabled), but it's a pretty easy fix ...


---

Mime
View raw message