From dev-return-76002-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Wed Nov 21 00:32:50 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 1618918064E for ; Wed, 21 Nov 2018 00:32:49 +0100 (CET) Received: (qmail 65725 invoked by uid 500); 20 Nov 2018 23:32:49 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 65707 invoked by uid 99); 20 Nov 2018 23:32:48 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2018 23:32:48 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 1C94CE1305; Tue, 20 Nov 2018 23:32:48 +0000 (UTC) From: ivmaykov To: dev@zookeeper.apache.org Reply-To: dev@zookeeper.apache.org Message-ID: Subject: [GitHub] zookeeper pull request #710: ZOOKEEPER-3195: TLS - disable client-initiated ... Content-Type: text/plain Date: Tue, 20 Nov 2018 23:32:48 +0000 (UTC) GitHub user ivmaykov opened a pull request: https://github.com/apache/zookeeper/pull/710 ZOOKEEPER-3195: TLS - disable client-initiated renegotiation Summary: client-initiated renegotiation is insecure and is vulnerable to MITM attacks. Unfortunately, the feature is enabled in Java by default. This disables it. See https://bugs.openjdk.java.net/browse/JDK-7188658 and https://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html Test Plan: manually tested by running a secure ZK server and probing the listening port with python's sslyze tool (using `sslyze --reneg ...`). Tested on Java 8, 9, 10, and 11. You can merge this pull request into a Git repository by running: $ git pull https://github.com/ivmaykov/zookeeper ZOOKEEPER-3195 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zookeeper/pull/710.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #710 ---- commit 027d7d24912dc7a00d798a77196f83be06229755 Author: Ilya Maykov Date: 2018-11-20T23:30:23Z ZOOKEEPER-3195: TLS - disable client-initiated renegotiation Summary: client-initiated renegotiation is insecure and is vulnerable to MITM attacks. Unfortunately, the feature is enabled in Java by default. This disables it. See https://bugs.openjdk.java.net/browse/JDK-7188658 and https://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html Test Plan: manually tested by running a secure ZK server and probing the listening port with python's sslyze tool (using `sslyze --reneg ...`). Tested on Java 8, 9, 10, and 11. ---- ---