zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@cloudera.com.INVALID>
Subject Re: Digest auth with classic TCP transport
Date Thu, 27 Sep 2018 15:17:55 GMT
I think they do the latter. ZooKeeper 3.4 is highly recommended to run on a
network which is isolated from the internet.
VPN could be an option, but we don't do any testing on VPN networks.

Andor



On Thu, Sep 27, 2018 at 5:14 PM, Jan Høydahl <jan.asf@cominvent.com> wrote:

> Thanks.
>
> So what do people typically do to mitigate this? Other than restricting
> who has access to this network?
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 27. sep. 2018 kl. 17:10 skrev Andor Molnar <andor@cloudera.com.INVALID>:
> >
> > Right. It's plaintext.
> >
> >
> > On Thu, Sep 27, 2018 at 4:54 PM, Jan Høydahl <jan.asf@cominvent.com>
> wrote:
> >
> >> I am *explicitly* asking about old-style 3.4.x socket protocol, not the
> >> new Netty transport which I know supports SSL.
> >>
> >> My original question was whether authentication credentials are passed
> in
> >> plaintext across the wire and thus being easy to pickup by an attacker.
> >> And if that is true, if there are know ways of working around the lack
> of
> >> SSL support for the TCP transport.
> >>
> >> Martin Gainty, I cannot see how I can easily plug in TLS1.3 in my
> existing
> >> connection between client and Zookeeper 3.4.x, but if there is a simple
> way
> >> to do so then please share how you did it.
> >>
> >> The only solution I see, as we're stuck with 3.4.x, is to setup IPSec
> >> tunnels on OS level on all client/server traffic. I wanted to avoid
> that.
> >>
> >> --
> >> Jan Høydahl, search solution architect
> >> Cominvent AS - www.cominvent.com
> >>
> >>> 27. sep. 2018 kl. 16:14 skrev Andor Molnar <andor@cloudera.com.INVALID
> >:
> >>>
> >>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/
> >> ZooKeeper+SSL+User+Guide
> >>>
> >>> SSL (client-server) has been added in 3.5.1
> >>> SSL server-server support is being reviewed on GitHub.
> >>>
> >>> Regards,
> >>> Andor
> >>>
> >>>
> >>>
> >>> On Thu, Sep 27, 2018 at 3:46 PM, Jan Høydahl <jan.asf@cominvent.com>
> >> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>>> if you're prevented from implementing SSL why not use TLSv1.3?
> >>>>
> >>>>
> >>>> I have not found any evidence that Zookeeper server nor (Java) client
> >>>> supports TLS in version 3.4.13. Please point me to some docs or
> >> tutorial.
> >>>> We don't want to fork Zookeeper to implement this stuff ourselves :)
> >>>>
> >>>> --
> >>>> Jan Høydahl, search solution architect
> >>>> Cominvent AS - www.cominvent.com
> >>>>
> >>>>> 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgainty@hotmail.com>:
> >>>>>
> >>>>>
> >>>>> ________________________________
> >>>>> From: Jan Høydahl <jan.asf@cominvent.com>
> >>>>> Sent: Thursday, September 27, 2018 5:12 AM
> >>>>> To: user@zookeeper.apache.org
> >>>>> Subject: Digest auth with classic TCP transport
> >>>>>
> >>>>> Hi
> >>>>>
> >>>>> We use ZK 3.4.13, and unfortunately cannot use Netty transport and
> SSL.
> >>>>> We plan to use digest authentication and Zookeeper ACL protection.
> >>>>>
> >>>>> Question is, since we cannot use SSL, is there some other way to
make
> >>>> sure the user credentials are not sniffed over the network and thus
> let
> >> an
> >>>> attacker impersonate our application and cange the content in
> Zookeeper?
> >>>> Does the Zookeeper client do some smart moves to protect/hash the
> >> password
> >>>> over the network? I suppose the binary transport is easy to decipher
> for
> >>>> those who try.
> >>>>>
> >>>>> MG>if you're prevented from implementing SSL why not use TLSv1.3?
> >>>>> MG>with TLSv1.3 you can implement encryption/decryption with
crypto
> >>>> private/public keys and x509 certs
> >>>>> https://en.wikipedia.org/wiki/Transport_Layer_Security
> >>>>> Transport Layer Security - Wikipedia<https://en.
> >>>> wikipedia.org/wiki/Transport_Layer_Security>
> >>>>> Transport Layer Security (TLS) – and its predecessor, Secure Sockets
> >>>> Layer (SSL), which is now deprecated by the Internet Engineering Task
> >> Force
> >>>> (IETF) – are cryptographic protocols that provide communications
> >> security
> >>>> over a computer network. Several versions of the protocols find
> >> widespread
> >>>> use in applications such as web browsing, email, instant messaging,
> and
> >>>> voice over IP (VoIP).
> >>>>> en.wikipedia.org
> >>>>>
> >>>>>
> >>>>> MG>path of least resistance is to contact verisign and ask them
to
> >>>> generate keys, certs and allow them to act as CA
> >>>>> MG>Caveat: tls1.3 implementation is slow and is supported by
Mozilla
> >>>> v60...and some versions of chrome
> >>>>> MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon
and
> >>>> TLS_ECDH_anon key agreement methods MG>do not authenticate the server
> >>>>> MG>you will want public key size to be min 2048bit to conform
to
> chrome
> >>>> secure transmission requirements
> >>>>> MG>securing message is done thru MD5 or SHA but you will need
to
> >>>> incorporate selected algo into
> >>>>> MG>supported cipher-suite(s)
> >>>>> https://en.wikipedia.org/wiki/Cipher_suite
> >>>>> Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite>
> >>>>> A cipher suite is a set of algorithms that help secure a network
> >>>> connection that uses Transport Layer Security (TLS) or Secure Socket
> >> Layer
> >>>> (SSL). The set of algorithms that cipher suites usually contain
> >> include: a
> >>>> key exchange algorithm, a bulk encryption algorithm, and a message
> >>>> authentication code (MAC) algorithm.. The key exchange algorithm is
> >> used to
> >>>> exchange a key between two devices.
> >>>>> en.wikipedia.org
> >>>>>
> >>>>>
> >>>>> HTH
> >>>>> Martin
> >>>>> --
> >>>>> Jan Høydahl
> >>>>> Cominvent AS - www.cominvent.com<http://www.cominvent.com>
> >>>>>
> >>>>
> >>>>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message