Return-Path: X-Original-To: apmail-zookeeper-user-archive@www.apache.org Delivered-To: apmail-zookeeper-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4FA979326 for ; Tue, 21 Feb 2012 15:28:31 +0000 (UTC) Received: (qmail 54673 invoked by uid 500); 21 Feb 2012 15:28:29 -0000 Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org Received: (qmail 53955 invoked by uid 500); 21 Feb 2012 15:28:28 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 53690 invoked by uid 99); 21 Feb 2012 15:28:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Feb 2012 15:28:28 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of matt@nextdoor.com designates 209.85.160.42 as permitted sender) Received: from [209.85.160.42] (HELO mail-pw0-f42.google.com) (209.85.160.42) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Feb 2012 15:28:20 +0000 Received: by pbcwz12 with SMTP id wz12so7293198pbc.15 for ; Tue, 21 Feb 2012 07:27:59 -0800 (PST) Received-SPF: pass (google.com: domain of matt@nextdoor.com designates 10.68.197.196 as permitted sender) client-ip=10.68.197.196; Authentication-Results: mr.google.com; spf=pass (google.com: domain of matt@nextdoor.com designates 10.68.197.196 as permitted sender) smtp.mail=matt@nextdoor.com Received: from mr.google.com ([10.68.197.196]) by 10.68.197.196 with SMTP id iw4mr13761435pbc.133.1329838079312 (num_hops = 1); Tue, 21 Feb 2012 07:27:59 -0800 (PST) Received: by 10.68.197.196 with SMTP id iw4mr11214427pbc.133.1329838079265; Tue, 21 Feb 2012 07:27:59 -0800 (PST) Received: from [192.168.1.56] ([173.247.200.162]) by mx.google.com with ESMTPS id e10sm27888630pbv.0.2012.02.21.07.27.57 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 07:27:57 -0800 (PST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Apple Message framework v1257) Subject: Re: Server to server encrypted communication From: Matt Wise In-Reply-To: Date: Tue, 21 Feb 2012 07:27:56 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <0196C9C2-DA45-454F-BD56-EE8E720A6D4B@nextdoor.com> References: To: user@zookeeper.apache.org X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQnxd4sxgTJ1/cGiZOOvECaYAv7yGhtQCoORoFMFAonX6w5oaeVoPARhHk2gXid/fpa/LAwl Bill, I've been struggling with a similar problem ... although we feel like = we can trust our server-to-server communication, we cannot trust our = server-to-client communication. Its ironic ... ZooKeeper is designed to = solve a problem of mass ad-hoc configuration and data storage - yet, its = not really designed from the ground up to run out on the open internet = with things like SSL.=20 Anyways... to solve our client-to-server communication we have put = 'stunnel' on each of our ZooKeeper nodes acting as an SSL-frontend to = the main ZooKeeper client port. Our stunnel configuration uses = certificate-based authentication to verify that only our own clients can = connect. Because this authentication is handled at the SSL level, no = protocol information can pass at all before the authentication has = already taken place. Our ZooKeeper client machines are also configured = with an Stunnel 'client' that redirects the local ZooKeeper port to one = of our ZooKeeper servers. Stunnel does a pretty good job at this ... it has built in SSL caches = so that frequent connects/disconnects do not always cause an SSL = re-negotiation from scratch, it allows for a relatively high amount of = connections to a given machine (I've tested over 5000 concurrent = connections to a single host in previous jobs). Additionally, it adds a = little bit of redundancy because Stunnel can take a 'pool' of servers to = connect to, and will round-robin through them until it rinds a working = server. =97Matt On Feb 20, 2012, at 6:38 AM, Bill Vochatzer wrote: > Greetings Zookeepers, >=20 > I'm new to the Zookeeper world and I'm excited about using it in my > projects. >=20 > I'm interested in deploying Zookeeper servers over a WAN and the > requirements of the system would need to enforce the communication = between > the Zookeeper servers to be encrypted. > I've scoured the documentation around the interwebs. If I understand = what > I read, currently Zookeeper does not support inter-server encryption > (SSL/TLS). >=20 > I'm curious to your insights on a few things: > 1) Did I understand correctly that there is not support for = inter-server > encryption? >=20 > 1a) Assuming I understood, in current experience has this been a = problem > for anyone and what might be done to make it work (i.e. SSL tunnel)? >=20 >=20 > 2) Does the addition of netty in 3.4 offer some implementation of this > feature? I couldn't quite figure it out from the documentation. >=20 >=20 > 3) I notice that there is a jira issue ( > https://issues.apache.org/jira/browse/ZOOKEEPER-1000) open regarding = this > subject. Is there a road map on a future enhancement? >=20 >=20 > Thanks for your time >=20 > Regards > Billy V