From dev-return-74172-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Fri Oct 5 00:01:43 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 638C4180658 for ; Fri, 5 Oct 2018 00:01:43 +0200 (CEST) Received: (qmail 35795 invoked by uid 500); 4 Oct 2018 22:01:42 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 35784 invoked by uid 99); 4 Oct 2018 22:01:41 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Oct 2018 22:01:41 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id A6087E0054; Thu, 4 Oct 2018 22:01:41 +0000 (UTC) From: hanm To: dev@zookeeper.apache.org Reply-To: dev@zookeeper.apache.org References: In-Reply-To: Subject: [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast... Content-Type: text/plain Message-Id: <20181004220141.A6087E0054@git1-us-west.apache.org> Date: Thu, 4 Oct 2018 22:01:41 +0000 (UTC) Github user hanm commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/184#discussion_r222841188 --- Diff: src/java/main/org/apache/zookeeper/common/ZKTrustManager.java --- @@ -0,0 +1,151 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.zookeeper.common; + +import org.apache.http.conn.ssl.DefaultHostnameVerifier; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; +import javax.net.ssl.X509ExtendedTrustManager; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +/** + * A custom TrustManager that supports hostname verification via org.apache.http.conn.ssl.DefaultHostnameVerifier. + * + * We attempt to perform verification using just the IP address first and if that fails will attempt to perform a + * reverse DNS lookup and verify using the hostname. + */ +public class ZKTrustManager extends X509ExtendedTrustManager { --- End diff -- I am +1 on @ivmaykov 's approach. We should create a JIRA and put a comment in code links with JIRA so this can be cleaned up later, though this sounds a mysterious issue by the description so far (that performance degrades with new code path not hit?). ---