zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ivmaykov <...@git.apache.org>
Subject [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...
Date Tue, 02 Oct 2018 21:02:14 GMT
Github user ivmaykov commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r222110824
  
    --- Diff: src/java/main/org/apache/zookeeper/common/ZKTrustManager.java ---
    @@ -0,0 +1,151 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.zookeeper.common;
    +
    +import org.apache.http.conn.ssl.DefaultHostnameVerifier;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import javax.net.ssl.SSLEngine;
    +import javax.net.ssl.SSLException;
    +import javax.net.ssl.X509ExtendedTrustManager;
    +import java.net.InetAddress;
    +import java.net.Socket;
    +import java.net.UnknownHostException;
    +import java.security.cert.CertificateException;
    +import java.security.cert.X509Certificate;
    +
    +/**
    + * A custom TrustManager that supports hostname verification via org.apache.http.conn.ssl.DefaultHostnameVerifier.
    + *
    + * We attempt to perform verification using just the IP address first and if that fails
will attempt to perform a
    + * reverse DNS lookup and verify using the hostname.
    + */
    +public class ZKTrustManager extends X509ExtendedTrustManager {
    --- End diff --
    
    We haven't checked against 4.5.6, but given that the code path wasn't even being taken
I doubt a later version would help. I don't know enough about JVM performance quirks to even
have a theory for how including an unused jar leads to a perf regression. Maybe something
to do with the class loader?
    
    Anyway, including a fully featured HTTP client library in Zookeeper's server code base
seems weird in any case, since ZK doesn't actually use the HTTP client functionality for anything.
If you don't want to copy-paste code, do you know of some smaller open source library that
just provides the hostname verification that we could use?


---

Mime
View raw message