Hi, I am implementing Mutual-TLS in our environment here. I looked at Bookkeeper-588 but we cannot support StartTLS, so have an implementation that does plain SSL. I get details of the SSL setup using the java environment variables, I have followed the zookeeper model for this.
We have a system with a high frequency of client certificate expiry. New certificates will be available quite a while before the old ones expire. Consider the following case: 1. Bookkeeper Client sends a request for AddEntry over SSL 2. Bookie adds the entry 3. Certificate expires and the communication channel becomes untrusted 4. The Bookie client is not able to receive a response from the Bookie, and it marks the Bookie as being in an invalid state. (PerChannelBookieClient::messageReceived processes a failure). Is the explanation above correct ? To avoid the above, I have a basic implementation of reconnect in the DefaultPerChannelBookieClientPool::obtain function, where I can detect that the old certs are about to expire and new ones are available, and provide connections from a pool with channels initialized from the new pool. Could you comment if the above makes sense ? Thanks, Arun
