[jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol

Mon, 13 Mar 2017 22:14:43 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15923591#comment-15923591
 ] 

Abraham Fine commented on ZOOKEEPER-236:
----------------------------------------

Hi [~geek101]-

bq. Need for separate SSL config for client to server and quorum peer to quorum 
peer. Changes to X509Util and ZKConfig are for this.
Totally agree.

bq. Need for Hostname verification and CRL lists at-least for quorum peer to 
quorum peer SSL would mean that we will need X509ExtendedTrustManager hence the 
reason for ZKX509TrustManager class and its helpers.
I'm not sure I agree with this one. I uploaded a new commit on my pr showing 
that hostname verification can be implemented outside of the trust manager 
(since hostname verification is not part of ssl). I think that is easier this 
way because we often do not know which zookeeper sid is connecting until some 
information is transferred. In addition, I thought CRL is implemented 
completely outside of application logic (see: 
http://stackoverflow.com/questions/8506661/check-x509-certificate-revocation-status-in-spring-security-before-authenticatin/8507905#8507905),
 I could be very wrong though. Still need to test this.

bq. Hostname verification will need hostname to be supplied at SSLEngine 
creation time if reverse DNS lookup is not desired. I do not have this either.
For client <-> server I think this is true. We could move this into another 
patch as this is outside that would be outside the scope of the JIRA.

Please take a look at my latest changes and let me know what you think. I still 
have not implemented separating the client and server configurations. That 
should be coming soon.

Thanks,
Abe

> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic 
> between ZooKeeper servers. For the most part this is a very easy change. We 
> would probably only want to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to