[
https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767470#comment-15767470
]
Enrico Olivelli commented on BOOKKEEPER-588:
--------------------------------------------
I have just pushed a first implementation.
This is the port of the original [~iv...@yahoo-inc.com] patch + integration
with the AuthProvider system.
I have added the support for the configuration of SSL ciphers and protocols and
an option to verify SSL certificates from the client side.
With this patch if a client is configured with "UseSSL" configuration it will
not connect to non-SSL bookies so IMHO the attacks against STARTTLS are not
possibile
Procedure for rolling upgrade:
- upgrade bookies and setup SSL
- configure clients to require STARTTLS
Missing pieces (maybe a new JIRA can be created):
- tests about ciphers and protocols
- client certificates
- implementation on the bookie side of the AuthProvider part to validate client
SSL certificates
- the "(!inetAddr.isUnresolved()) " trick and tast cases if possible
Apart from those issues I think that this patch is already good for an initial
review
> SSL support
> -----------
>
> Key: BOOKKEEPER-588
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588
> Project: Bookkeeper
> Issue Type: Sub-task
> Reporter: Ivan Kelly
> Assignee: Enrico Olivelli
> Fix For: 4.5.0
>
> Attachments: 0001-MutualTLS-for-Bookkeeper.patch,
> 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch
>
>
> SSL support using startTLS
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
