Github user eolivelli commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/710#discussion_r235223996
--- Diff:
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java ---
@@ -60,6 +60,12 @@
public abstract class X509Util {
private static final Logger LOG =
LoggerFactory.getLogger(X509Util.class);
+ static {
+ // Client-initiated renegotiation in TLS is unsafe and
+ // allows MITM attacks, so we should always disable it.
+ System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation",
"true");
--- End diff --
Do you know if this system property is read only once from the JVM and then
cached, ot applies to any new server socket or to any new accepted
connection/TLS handshake?
---
