From user-return-11715-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Thu Sep 27 16:14:19 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id BF72C180652 for ; Thu, 27 Sep 2018 16:14:18 +0200 (CEST) Received: (qmail 98471 invoked by uid 500); 27 Sep 2018 14:14:17 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 98457 invoked by uid 99); 27 Sep 2018 14:14:16 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Sep 2018 14:14:16 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 6B54A1805D3 for ; Thu, 27 Sep 2018 14:14:16 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.879 X-Spam-Level: * X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudera.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id F3ew6m-ceeNs for ; Thu, 27 Sep 2018 14:14:10 +0000 (UTC) Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com [209.85.210.41]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 8EBE35F2F0 for ; Thu, 27 Sep 2018 14:14:10 +0000 (UTC) Received: by mail-ot1-f41.google.com with SMTP id g14-v6so2683473otj.7 for ; Thu, 27 Sep 2018 07:14:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=eYGfhSQShYf1cVfIEgIQKgoizjYQTCZyDPBzt6ofJdA=; b=RRwmALNblelFk6dLJgFWTU57ndnn20QBcL3y971y/VaapUbBz8EyTRAcC07UsIO2De oWYDcVWGbS8+UUraW2/BEEY1GUsI7p1CWUUDCORasapcTfTmNlwpaft0PquZ2dwCqSEx 7T9ezKg6LeHQAenBzDZ6UIPYI/WxOpWLRjQiA5kyVkAhBlbNYxtGPt30AXpBcpbMHqyw 8DE5L/kDCAc5BLELMdFVULn7YKRymaA1B6QNROWnRxteUvC5XHDUYgsWZNU+sC2dbdSa tmB/OKFXO9DaE1HevXuSyCs0mqa97G1UXIwRXCK/GCue4Oz3lCweqOpFZ/a55RPjVjQv ZfFw== X-Gm-Message-State: ABuFfojR3naDqpObE2jVTwE8IBB97i2lw87NfjPxLscbfCNMnWHaNJpt tsvBW8GoqAq7cVCDkd3VcA1LHyQ/D4MudXGTJj/oCDSEyqE= X-Google-Smtp-Source: ACcGV62Ga9PBiZaX7KTn9u57TcWsa28/a1U+khL4ADZ2uzzjCDyqRgecTjBxLho275TYVXrJxplmA5xnpqPmBp0cRgg= X-Received: by 2002:a9d:3220:: with SMTP id t32-v6mr6773569otc.284.1538057649481; Thu, 27 Sep 2018 07:14:09 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:2961:0:0:0:0:0 with HTTP; Thu, 27 Sep 2018 07:14:08 -0700 (PDT) In-Reply-To: <771B3BBF-2CFE-4C27-BF06-787C9B7C5FD0@cominvent.com> References: <771B3BBF-2CFE-4C27-BF06-787C9B7C5FD0@cominvent.com> From: Andor Molnar Date: Thu, 27 Sep 2018 16:14:08 +0200 Message-ID: Subject: Re: Digest auth with classic TCP transport To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary="000000000000d78d050576daf374" --000000000000d78d050576daf374 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Gu= ide SSL (client-server) has been added in 3.5.1 SSL server-server support is being reviewed on GitHub. Regards, Andor On Thu, Sep 27, 2018 at 3:46 PM, Jan H=C3=B8ydahl w= rote: > Hi, > > > if you're prevented from implementing SSL why not use TLSv1.3? > > > I have not found any evidence that Zookeeper server nor (Java) client > supports TLS in version 3.4.13. Please point me to some docs or tutorial. > We don't want to fork Zookeeper to implement this stuff ourselves :) > > -- > Jan H=C3=B8ydahl, search solution architect > Cominvent AS - www.cominvent.com > > > 27. sep. 2018 kl. 15:17 skrev Martin Gainty : > > > > > > ________________________________ > > From: Jan H=C3=B8ydahl > > Sent: Thursday, September 27, 2018 5:12 AM > > To: user@zookeeper.apache.org > > Subject: Digest auth with classic TCP transport > > > > Hi > > > > We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL. > > We plan to use digest authentication and Zookeeper ACL protection. > > > > Question is, since we cannot use SSL, is there some other way to make > sure the user credentials are not sniffed over the network and thus let a= n > attacker impersonate our application and cange the content in Zookeeper? > Does the Zookeeper client do some smart moves to protect/hash the passwor= d > over the network? I suppose the binary transport is easy to decipher for > those who try. > > > > MG>if you're prevented from implementing SSL why not use TLSv1.3? > > MG>with TLSv1.3 you can implement encryption/decryption with crypto > private/public keys and x509 certs > > https://en.wikipedia.org/wiki/Transport_Layer_Security > > Transport Layer Security - Wikipedia wikipedia.org/wiki/Transport_Layer_Security> > > Transport Layer Security (TLS) =E2=80=93 and its predecessor, Secure So= ckets > Layer (SSL), which is now deprecated by the Internet Engineering Task For= ce > (IETF) =E2=80=93 are cryptographic protocols that provide communications = security > over a computer network. Several versions of the protocols find widesprea= d > use in applications such as web browsing, email, instant messaging, and > voice over IP (VoIP). > > en.wikipedia.org > > > > > > MG>path of least resistance is to contact verisign and ask them to > generate keys, certs and allow them to act as CA > > MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla > v60...and some versions of chrome > > MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and > TLS_ECDH_anon key agreement methods MG>do not authenticate the server > > MG>you will want public key size to be min 2048bit to conform to chrome > secure transmission requirements > > MG>securing message is done thru MD5 or SHA but you will need to > incorporate selected algo into > > MG>supported cipher-suite(s) > > https://en.wikipedia.org/wiki/Cipher_suite > > Cipher suite - Wikipedia > > A cipher suite is a set of algorithms that help secure a network > connection that uses Transport Layer Security (TLS) or Secure Socket Laye= r > (SSL). The set of algorithms that cipher suites usually contain include: = a > key exchange algorithm, a bulk encryption algorithm, and a message > authentication code (MAC) algorithm.. The key exchange algorithm is used = to > exchange a key between two devices. > > en.wikipedia.org > > > > > > HTH > > Martin > > -- > > Jan H=C3=B8ydahl > > Cominvent AS - www.cominvent.com > > > > --000000000000d78d050576daf374--