[ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15923591#comment-15923591 ]
Abraham Fine commented on ZOOKEEPER-236: ---------------------------------------- Hi [~geek101]- bq. Need for separate SSL config for client to server and quorum peer to quorum peer. Changes to X509Util and ZKConfig are for this. Totally agree. bq. Need for Hostname verification and CRL lists at-least for quorum peer to quorum peer SSL would mean that we will need X509ExtendedTrustManager hence the reason for ZKX509TrustManager class and its helpers. I'm not sure I agree with this one. I uploaded a new commit on my pr showing that hostname verification can be implemented outside of the trust manager (since hostname verification is not part of ssl). I think that is easier this way because we often do not know which zookeeper sid is connecting until some information is transferred. In addition, I thought CRL is implemented completely outside of application logic (see: http://stackoverflow.com/questions/8506661/check-x509-certificate-revocation-status-in-spring-security-before-authenticatin/8507905#8507905), I could be very wrong though. Still need to test this. bq. Hostname verification will need hostname to be supplied at SSLEngine creation time if reverse DNS lookup is not desired. I do not have this either. For client <-> server I think this is true. We could move this into another patch as this is outside that would be outside the scope of the JIRA. Please take a look at my latest changes and let me know what you think. I still have not implemented separating the client and server configurations. That should be coming soon. Thanks, Abe > SSL Support for Atomic Broadcast protocol > ----------------------------------------- > > Key: ZOOKEEPER-236 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236 > Project: ZooKeeper > Issue Type: New Feature > Components: quorum, server > Reporter: Benjamin Reed > Assignee: Abraham Fine > Priority: Minor > > We should have the ability to use SSL to authenticate and encrypt the traffic > between ZooKeeper servers. For the most part this is a very easy change. We > would probably only want to support this for TCP based leader elections. -- This message was sent by Atlassian JIRA (v6.3.15#6346)