[
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991346#comment-15991346
]
ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------
Github user afine commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/184#discussion_r114181665
--- Diff: src/java/main/org/apache/zookeeper/server/quorum/Learner.java ---
@@ -254,6 +260,9 @@ protected void connectToLeader(InetSocketAddress addr)
}
sockConnect(sock, addr, Math.min(self.tickTime *
self.syncLimit, remainingInitLimitTime));
+ if (self.isSslQuorum()) {
+ ((SSLSocket) sock).startHandshake();
+ }
sock.setTcpNoDelay(nodelay);
break;
} catch (IOException e) {
--- End diff --
> if we know the SSL cert is invalid there is no point retrying
Not sure I agree. I can imagine cases where the certificate revocation
system is down and comes up at a later point in time.
>it's possible that what finally gets logged does not reflect the cause of
the failure due to how these exceptions are handled
We seem to be logging pretty reasonably here:
https://github.com/apache/zookeeper/blob/branch-3.5/src/java/main/org/apache/zookeeper/server/quorum/Follower.java#L95
In addition, there is some JVM system properties for ssl logging that we
can document to make sure certificate issues are as clear as possible.
> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
> Key: ZOOKEEPER-236
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, security, server
> Reporter: Benjamin Reed
> Assignee: Abraham Fine
> Labels: ssl
>
> We should have the ability to use SSL to authenticate and encrypt the traffic
> between ZooKeeper servers. For the most part this is a very easy change. We
> would probably only want to support this for TCP based leader elections.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
