[ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15929080#comment-15929080 ]
Abraham Fine commented on ZOOKEEPER-236: ---------------------------------------- Hi [~geek101]- bq. If multiple servers have certs with the same subjectAltName entry of type dNSName and that is indeed is how the CA signed them then it should be ok from TLS perspective I agree that at least one of the alt_names needs to match the host from configuration (not all of them). bq. Take a case where if someone can subvert the CA get signed by it for the same domain and subvert DNS then they might as well try few sids starting from zero before ZK lets the server connect. If the CA is subverted (certificates are being issued for servers for domains not under their control) and the name service is subverted, hostname verification of any kind can't work. Either the CA or the NS (dns or the zk config) needs to have integrity. But I think you raise an interesting issue where a client can just try multiple id's when connecting to another server until it matches the one on its (lets assume stolen) certificate. I did not consider that. Let me dig into this a little deeper and see if I can get a better idea of what is going on. bq. We should probably have it off by default and let the admin turn it on. The latest patch has this behavior. bq. Also wanted to ask you if we could make the all sockets BufferedSocket by default rather then making that conditional on port unification configuration. Why would we want to do this? I think there is a small performance hit involved. > SSL Support for Atomic Broadcast protocol > ----------------------------------------- > > Key: ZOOKEEPER-236 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236 > Project: ZooKeeper > Issue Type: New Feature > Components: quorum, server > Reporter: Benjamin Reed > Assignee: Abraham Fine > Priority: Minor > > We should have the ability to use SSL to authenticate and encrypt the traffic > between ZooKeeper servers. For the most part this is a very easy change. We > would probably only want to support this for TCP based leader elections. -- This message was sent by Atlassian JIRA (v6.3.15#6346)