zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ivmaykov <...@git.apache.org>
Subject [GitHub] zookeeper pull request #681: ZOOKEEPER-3176: Quorum TLS - add SSL config opt...
Date Wed, 07 Nov 2018 21:09:35 GMT
GitHub user ivmaykov reopened a pull request:


    ZOOKEEPER-3176: Quorum TLS - add SSL config options

    Add  SSL config options for enabled protocols and client auth mode.
    Improve handling of SSL config options for protocols and cipher suites - previously these
came from system properties, now they can come from ZKConfig which means they are easier to
isolate in tests, and now we don't need to parse system properties every time we create a
secure socket.
    Note that this is stacked on top of #678, #679, and #680 and thus includes them. Please
only consider the ZOOKEEPER-3176 commit when reviewing. Once the other PRs are merged upstream,
I will rebase this so it only contains one commit.
    ## Added more options for ssl settings to X509Util and encapsulate them better
    - previously, some SSL settings came from a `ZKConfig` and others came from global `System.getProperties()`.
This made it hard to isolate certain settings in tests.
    - now all SSL-related settings come from the `ZKConfig` object used to create the SSL
    - new settings added:
    - `zookeeper.ssl(.quorum).enabledProtocols` - list of enabled protocols. If not set, defaults
to a single-entry list with the value of `zookeeper.ssl(.quorum).protocol`.
    - `zookeeper.ssl(.quorum).clientAuth` - can be "NONE", "WANT", or "NEED". This controls
whether the server doesn't want / allows / requires the client to present an X509 certificate.
    - `zookeeper.ssl(.quorum).handshakeDetectionTimeoutMillis` - timeout for the first read
of 5 bytes to detect the transport mode (TLS or plaintext) of a client connection made to
a `UnifiedServerSocket`

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ivmaykov/zookeeper ZOOKEEPER-3176

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #681
commit b45b716a59709b933c0652f48d563b08e1091e92
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T01:22:24Z

    ZOOKEEPER-3172: Quorum TLS - fix port unification to allow rolling upgrades

commit 28565e3466dd35a339a3d1d71de20298072abb1a
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T01:54:06Z

    ZOOKEEPER-3174: Quorum TLS - support reloading trust/key store

commit 4bd95d4d0f69fa73342e2c6af57c38e41421e140
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T02:12:04Z

    ZOOKEEPER-3176: Quorum TLS - add SSL config options



View raw message