zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ivmaykov <...@git.apache.org>
Subject [GitHub] zookeeper pull request #710: ZOOKEEPER-3195: TLS - disable client-initiated ...
Date Mon, 03 Dec 2018 18:57:06 GMT
GitHub user ivmaykov reopened a pull request:

    https://github.com/apache/zookeeper/pull/710

    ZOOKEEPER-3195: TLS - disable client-initiated renegotiation

    Summary: client-initiated renegotiation is insecure and is vulnerable to MITM attacks.
    Unfortunately, the feature is enabled in Java by default. This disables it.
    See https://bugs.openjdk.java.net/browse/JDK-7188658 and
    https://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
    
    Test Plan: manually tested by running a secure ZK server and probing the listening port
    with python's sslyze tool (using `sslyze --reneg ...`). Tested on Java 8, 9, 10, and 11.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ivmaykov/zookeeper ZOOKEEPER-3195

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/710.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #710
    
----
commit fc7f54819fa3ec618d368f73e014614e4e39ef11
Author: Ilya Maykov <ilyam@...>
Date:   2018-11-20T23:30:23Z

    ZOOKEEPER-3195: TLS - disable client-initiated renegotiation
    
    Summary: client-initiated renegotiation is insecure and is vulnerable to MITM attacks.
    Unfortunately, the feature is enabled in Java by default. This disables it.
    See https://bugs.openjdk.java.net/browse/JDK-7188658 and
    https://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
    
    Test Plan: manually tested by running a secure ZK server and probing the listening port
    with python's sslyze tool (using `sslyze --reneg ...`). Tested on Java 8, 9, 10, and 11.
    Also added a unit test that verifies client-initiated renegotiation fails.

----


---

Mime
View raw message