zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [zookeeper] eolivelli commented on issue #961: ZOOKEEPER-3404. Downgrade BouncyCastle to 1.60
Date Mon, 27 May 2019 21:18:22 GMT
eolivelli commented on issue #961: ZOOKEEPER-3404. Downgrade BouncyCastle to 1.60
URL: https://github.com/apache/zookeeper/pull/961#issuecomment-496307315
 
 
   As we are using BC only for tests it is okay to downgrade in order to make tests more stable.
   
   btw if we have these problems now someday we will see them again when we will need to upgrade.
   Aren't we using BC only for generating certs and keys ? it is not used by the runtime.
   
   BC comes with its own Security Providers, **I am afraid that  it not polluting the classpath
during tests** executions. The JVM (Javax Crypto) selects Security Providers by using what
is on the classpath.
   **It is a problem if during tests execution we are using a Security Provider that it is
not used in production.**
   
   We should add debug in every security-related utility and dump which Security Provider
is in use.
   In order to be sure about the security provider we are using every Javax Crypto utility
has a way to force the provider without using auto discovery.
   
   We should also add Netty (Google) Boring SSL library in order to be sure about the SSL
implementation we are using.
   
   Unfortunately we are not using Netty yet on server to server communication, as so I guess
we are more fragile in this Security Provider selection.
   
   cc @enixon

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message