On Fri, Sep 9, 2016 at 10:46 AM, Arun M. Krishnakumar < [email protected]> wrote:
> Hi, > > I am implementing Mutual-TLS in our environment here. I looked at > Bookkeeper-588 but we cannot support StartTLS, Can you explain why you cannot support StartTLS? > so have an implementation > that does plain SSL. I get details of the SSL setup using the java > environment variables, I have followed the zookeeper model for this. > > > We have a system with a high frequency of client certificate expiry. New > certificates will be available quite a while before the old ones expire. > Consider the following case: > 1. Bookkeeper Client sends a request for AddEntry over SSL > 2. Bookie adds the entry 3. Certificate expires and the communication channel becomes untrusted > 4. The Bookie client is not able to receive a response from the Bookie, and > it marks the Bookie as being in an invalid state. > (PerChannelBookieClient::messageReceived processes a failure). > I am assuming here, you are talking about the request timeout as no response coming back. Or the client received a failure? > > Is the explanation above correct ? > To avoid the above, I have a basic implementation of reconnect in the > DefaultPerChannelBookieClientPool::obtain function, where I can detect > that > the old certs are about to expire and new ones are available, and provide > connections from a pool with channels initialized from the new pool. > I am not very clear about this part. Are you saying you will pre-create connection with new cert and replace the connection with old cert? > > Could you comment if the above makes sense ? > > Thanks, > Arun >
