zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andor Molnar <an...@cloudera.com.INVALID>
Subject Re: Digest auth with classic TCP transport
Date Thu, 27 Sep 2018 14:14:08 GMT
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

SSL (client-server) has been added in 3.5.1
SSL server-server support is being reviewed on GitHub.

Regards,
Andor



On Thu, Sep 27, 2018 at 3:46 PM, Jan Høydahl <jan.asf@cominvent.com> wrote:

> Hi,
>
> > if you're prevented from implementing SSL why not use TLSv1.3?
>
>
> I have not found any evidence that Zookeeper server nor (Java) client
> supports TLS in version 3.4.13. Please point me to some docs or tutorial.
> We don't want to fork Zookeeper to implement this stuff ourselves :)
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgainty@hotmail.com>:
> >
> >
> > ________________________________
> > From: Jan Høydahl <jan.asf@cominvent.com>
> > Sent: Thursday, September 27, 2018 5:12 AM
> > To: user@zookeeper.apache.org
> > Subject: Digest auth with classic TCP transport
> >
> > Hi
> >
> > We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL.
> > We plan to use digest authentication and Zookeeper ACL protection.
> >
> > Question is, since we cannot use SSL, is there some other way to make
> sure the user credentials are not sniffed over the network and thus let an
> attacker impersonate our application and cange the content in Zookeeper?
> Does the Zookeeper client do some smart moves to protect/hash the password
> over the network? I suppose the binary transport is easy to decipher for
> those who try.
> >
> > MG>if you're prevented from implementing SSL why not use TLSv1.3?
> > MG>with TLSv1.3 you can implement encryption/decryption with crypto
> private/public keys and x509 certs
> > https://en.wikipedia.org/wiki/Transport_Layer_Security
> > Transport Layer Security - Wikipedia<https://en.
> wikipedia.org/wiki/Transport_Layer_Security>
> > Transport Layer Security (TLS) – and its predecessor, Secure Sockets
> Layer (SSL), which is now deprecated by the Internet Engineering Task Force
> (IETF) – are cryptographic protocols that provide communications security
> over a computer network. Several versions of the protocols find widespread
> use in applications such as web browsing, email, instant messaging, and
> voice over IP (VoIP).
> > en.wikipedia.org
> >
> >
> > MG>path of least resistance is to contact verisign and ask them to
> generate keys, certs and allow them to act as CA
> > MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla
> v60...and some versions of chrome
> > MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and
> TLS_ECDH_anon key agreement methods MG>do not authenticate the server
> > MG>you will want public key size to be min 2048bit to conform to chrome
> secure transmission requirements
> > MG>securing message is done thru MD5 or SHA but you will need to
> incorporate selected algo into
> > MG>supported cipher-suite(s)
> > https://en.wikipedia.org/wiki/Cipher_suite
> > Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite>
> > A cipher suite is a set of algorithms that help secure a network
> connection that uses Transport Layer Security (TLS) or Secure Socket Layer
> (SSL). The set of algorithms that cipher suites usually contain include: a
> key exchange algorithm, a bulk encryption algorithm, and a message
> authentication code (MAC) algorithm.. The key exchange algorithm is used to
> exchange a key between two devices.
> > en.wikipedia.org
> >
> >
> > HTH
> > Martin
> > --
> > Jan Høydahl
> > Cominvent AS - www.cominvent.com<http://www.cominvent.com>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message