Github user anmolnar commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/184#discussion_r194458091
--- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
@@ -18,64 +18,119 @@
package org.apache.zookeeper.common;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
+import java.net.Socket;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyManagementException;
import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.util.Arrays;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import static
org.apache.zookeeper.common.X509Exception.KeyManagerException;
-import static
org.apache.zookeeper.common.X509Exception.SSLContextException;
-import static
org.apache.zookeeper.common.X509Exception.TrustManagerException;
+import org.apache.zookeeper.common.X509Exception.KeyManagerException;
+import org.apache.zookeeper.common.X509Exception.SSLContextException;
+import org.apache.zookeeper.common.X509Exception.TrustManagerException;
/**
* Utility code for X509 handling
*/
-public class X509Util {
+public abstract class X509Util {
private static final Logger LOG =
LoggerFactory.getLogger(X509Util.class);
- /**
- * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_LOCATION}
- * instead.
- */
- @Deprecated
- public static final String SSL_KEYSTORE_LOCATION =
"zookeeper.ssl.keyStore.location";
- /**
- * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_PASSWD}
- * instead.
- */
- @Deprecated
- public static final String SSL_KEYSTORE_PASSWD =
"zookeeper.ssl.keyStore.password";
- /**
- * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_LOCATION}
- * instead.
- */
- @Deprecated
- public static final String SSL_TRUSTSTORE_LOCATION =
"zookeeper.ssl.trustStore.location";
- /**
- * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_PASSWD}
- * instead.
- */
- @Deprecated
- public static final String SSL_TRUSTSTORE_PASSWD =
"zookeeper.ssl.trustStore.password";
- /**
- * @deprecated Use {@link ZKConfig#SSL_AUTHPROVIDER}
- * instead.
- */
- @Deprecated
- public static final String SSL_AUTHPROVIDER =
"zookeeper.ssl.authProvider";
-
- public static SSLContext createSSLContext() throws SSLContextException
{
- /**
+ static final String DEFAULT_PROTOCOL = "TLSv1.2";
+
+ private String sslProtocolProperty = getConfigPrefix() + "protocol";
+ private String cipherSuitesProperty = getConfigPrefix() +
"ciphersuites";
+ private String sslKeystoreLocationProperty = getConfigPrefix() +
"keyStore.location";
+ private String sslKeystorePasswdProperty = getConfigPrefix() +
"keyStore.password";
+ private String sslTruststoreLocationProperty = getConfigPrefix() +
"trustStore.location";
+ private String sslTruststorePasswdProperty = getConfigPrefix() +
"trustStore.password";
+ private String sslHostnameVerificationEnabledProperty =
getConfigPrefix() + "hostnameVerification";
+ private String sslCrlEnabledProperty = getConfigPrefix() + "crl";
+ private String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
+
+ private String[] cipherSuites;
--- End diff --
@ivmaykov Yep, it does make sense indeed. I've just got an understanding of
client-side TLS has been implemented completely different from this and it's
built inside Netty.
How about protocol restrictions here?
---
