From dev-return-76094-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Wed Nov 21 23:12:34 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 3589D180668 for ; Wed, 21 Nov 2018 23:12:34 +0100 (CET) Received: (qmail 63274 invoked by uid 500); 21 Nov 2018 22:12:33 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 63263 invoked by uid 99); 21 Nov 2018 22:12:32 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Nov 2018 22:12:32 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 2CEFBDFF00; Wed, 21 Nov 2018 22:12:32 +0000 (UTC) From: ivmaykov To: dev@zookeeper.apache.org Reply-To: dev@zookeeper.apache.org References: In-Reply-To: Subject: [GitHub] zookeeper pull request #710: ZOOKEEPER-3195: TLS - disable client-initiated ... Content-Type: text/plain Message-Id: <20181121221232.2CEFBDFF00@git1-us-west.apache.org> Date: Wed, 21 Nov 2018 22:12:32 +0000 (UTC) Github user ivmaykov commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/710#discussion_r235552846 --- Diff: zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java --- @@ -60,6 +60,12 @@ public abstract class X509Util { private static final Logger LOG = LoggerFactory.getLogger(X509Util.class); + static { + // Client-initiated renegotiation in TLS is unsafe and + // allows MITM attacks, so we should always disable it. + System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation", "true"); --- End diff -- Sure, will do ---