This is an automated email from the ASF dual-hosted git repository. andor pushed a commit to branch branch-3.9 in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.9 by this push: new 5523ef5e2 ZOOKEEPER-4790: Make client hostname verification configurable 5523ef5e2 is described below commit 5523ef5e26d8cb259bed624160c87d7feec345a7 Author: Natalie Klestrup Röijezon <n...@nullable.se> AuthorDate: Fri Nov 22 23:32:10 2024 +0100 ZOOKEEPER-4790: Make client hostname verification configurable Reviewers: anmolnar Author: nightkr Closes #2173 from nightkr/feature/config-client-hostname-verification (cherry picked from commit 91ab3f5274658a457f205065233db038ba7e622f) Signed-off-by: Andor Molnar <an...@apache.org> --- zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md | 7 +++++++ .../src/main/java/org/apache/zookeeper/common/X509Util.java | 8 +++++++- .../src/main/java/org/apache/zookeeper/common/ZKConfig.java | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md index 377c2f30a..b53da4596 100644 --- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md +++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md @@ -1750,6 +1750,13 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp Disabling it only recommended for testing purposes. Default: true +* *ssl.clientHostnameVerification* and *ssl.quorum.clientHostnameVerification* : + (Java system properties: **zookeeper.ssl.clientHostnameVerification** and **zookeeper.ssl.quorum.clientHostnameVerification**) + **New in 3.9.4:** + Specifies whether the client's hostname verification is enabled in client and quorum TLS negotiation process. + This option requires the corresponding *hostnameVerification* option to be `true`, or it will be ignored. + Default: true for quorum, false for clients + * *ssl.crl* and *ssl.quorum.crl* : (Java system properties: **zookeeper.ssl.crl** and **zookeeper.ssl.quorum.crl**) **New in 3.5.5:** diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java index a7a9fb7a3..dfb3f1191 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java @@ -196,6 +196,7 @@ public abstract class X509Util implements Closeable, AutoCloseable { private final String sslTruststoreTypeProperty = getConfigPrefix() + "trustStore.type"; private final String sslContextSupplierClassProperty = getConfigPrefix() + "context.supplier.class"; private final String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification"; + private final String sslClientHostnameVerificationEnabledProperty = getConfigPrefix() + "clientHostnameVerification"; private final String sslCrlEnabledProperty = getConfigPrefix() + "crl"; private final String sslOcspEnabledProperty = getConfigPrefix() + "ocsp"; private final String sslClientAuthProperty = getConfigPrefix() + "clientAuth"; @@ -270,6 +271,10 @@ public abstract class X509Util implements Closeable, AutoCloseable { return sslHostnameVerificationEnabledProperty; } + public String getSslClientHostnameVerificationEnabledProperty() { + return sslClientHostnameVerificationEnabledProperty; + } + public String getSslCrlEnabledProperty() { return sslCrlEnabledProperty; } @@ -305,7 +310,8 @@ public abstract class X509Util implements Closeable, AutoCloseable { } public boolean isClientHostnameVerificationEnabled(ZKConfig config) { - return isServerHostnameVerificationEnabled(config) && shouldVerifyClientHostname(); + return isServerHostnameVerificationEnabled(config) + && config.getBoolean(this.getSslClientHostnameVerificationEnabledProperty(), shouldVerifyClientHostname()); } public SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException { diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java index de062e747..846a5632e 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java @@ -127,6 +127,7 @@ public class ZKConfig { properties.put(x509Util.getSslTruststorePasswdPathProperty(), System.getProperty(x509Util.getSslTruststorePasswdPathProperty())); properties.put(x509Util.getSslTruststoreTypeProperty(), System.getProperty(x509Util.getSslTruststoreTypeProperty())); properties.put(x509Util.getSslContextSupplierClassProperty(), System.getProperty(x509Util.getSslContextSupplierClassProperty())); + properties.put(x509Util.getSslClientHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslClientHostnameVerificationEnabledProperty())); properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty())); properties.put(x509Util.getSslCrlEnabledProperty(), System.getProperty(x509Util.getSslCrlEnabledProperty())); properties.put(x509Util.getSslOcspEnabledProperty(), System.getProperty(x509Util.getSslOcspEnabledProperty()));