zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ivmaykov <...@git.apache.org>
Subject [GitHub] zookeeper pull request #710: ZOOKEEPER-3195: TLS - disable client-initiated ...
Date Wed, 21 Nov 2018 18:00:06 GMT
Github user ivmaykov commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/710#discussion_r235489458
  
    --- Diff: zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java ---
    @@ -60,6 +60,12 @@
     public abstract class X509Util {
         private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
     
    +    static {
    +        // Client-initiated renegotiation in TLS is unsafe and
    +        // allows MITM attacks, so we should always disable it.
    +        System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation", "true");
    --- End diff --
    
    I'm not sure. However, setting it to true before any SSLContext objects are created by
X509Util seems to do the trick. I'm not sure if flipping it back to `false` after the server
is running and sockets are created would lead to future connections allowing client-initiated
renegotiation or not. I don't think it matters since we don't have a way to flip the option
back to `false`.


---

Mime
View raw message