zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ivmaykov <...@git.apache.org>
Subject [GitHub] zookeeper pull request #681: ZOOKEEPER-3176: Quorum TLS - add SSL config opt...
Date Fri, 16 Nov 2018 18:17:39 GMT
GitHub user ivmaykov reopened a pull request:

    https://github.com/apache/zookeeper/pull/681

    ZOOKEEPER-3176: Quorum TLS - add SSL config options

    Add  SSL config options for enabled protocols and client auth mode.
    Improve handling of SSL config options for protocols and cipher suites - previously these
came from system properties, now they can come from ZKConfig which means they are easier to
isolate in tests, and now we don't need to parse system properties every time we create a
secure socket.
    
    Note that this is stacked on top of #678, #679, and #680 and thus includes them. Please
only consider the ZOOKEEPER-3176 commit when reviewing. Once the other PRs are merged upstream,
I will rebase this so it only contains one commit.
    
    ## Added more options for ssl settings to X509Util and encapsulate them better
    - previously, some SSL settings came from a `ZKConfig` and others came from global `System.getProperties()`.
This made it hard to isolate certain settings in tests.
    - now all SSL-related settings come from the `ZKConfig` object used to create the SSL
context
    - new settings added:
    - `zookeeper.ssl(.quorum).enabledProtocols` - list of enabled protocols. If not set, defaults
to a single-entry list with the value of `zookeeper.ssl(.quorum).protocol`.
    - `zookeeper.ssl(.quorum).clientAuth` - can be "NONE", "WANT", or "NEED". This controls
whether the server doesn't want / allows / requires the client to present an X509 certificate.
    - `zookeeper.ssl(.quorum).handshakeDetectionTimeoutMillis` - timeout for the first read
of 5 bytes to detect the transport mode (TLS or plaintext) of a client connection made to
a `UnifiedServerSocket`

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ivmaykov/zookeeper ZOOKEEPER-3176

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/681.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #681
    
----
commit 367bef0980193e2761c7008844c5e9fe029d8a66
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T01:22:24Z

    ZOOKEEPER-3172: Quorum TLS - fix port unification to allow rolling upgrades

commit fd58fa45cdd76c6b4c1bb2f529ee8f6d7fff553d
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T01:54:06Z

    ZOOKEEPER-3174: Quorum TLS - support reloading trust/key store

commit d232235519e2c6e252dcac700dcc05146cea5dbc
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T02:12:04Z

    ZOOKEEPER-3176: Quorum TLS - add SSL config options

----


---

Mime
View raw message