zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From eolivelli <...@git.apache.org>
Subject [GitHub] zookeeper pull request #710: ZOOKEEPER-3195: TLS - disable client-initiated ...
Date Wed, 21 Nov 2018 01:06:55 GMT
Github user eolivelli commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/710#discussion_r235223996
  
    --- Diff: zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java ---
    @@ -60,6 +60,12 @@
     public abstract class X509Util {
         private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
     
    +    static {
    +        // Client-initiated renegotiation in TLS is unsafe and
    +        // allows MITM attacks, so we should always disable it.
    +        System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation", "true");
    --- End diff --
    
    Do you know if this system property is read only once from the JVM and then cached, ot
applies to any new server socket or to any new accepted connection/TLS handshake?


---

Mime
View raw message