Github user eolivelli commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/710#discussion_r235529044
--- Diff:
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java ---
@@ -60,6 +60,12 @@
public abstract class X509Util {
private static final Logger LOG =
LoggerFactory.getLogger(X509Util.class);
+ static {
+ // Client-initiated renegotiation in TLS is unsafe and
+ // allows MITM attacks, so we should always disable it.
+ System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation",
"true");
--- End diff --
Anyway we are in server context, it is better to have this setting on.
The only thing we can do to enhance this change is trying not to override
explicit settings from the user.
So I would write:
If System.getProperty(...) == null...System.setProperty(...)
This way if there is a bug in JVM and you want to not enable this mechanism
you can set the property explicitly to false and this block won't touch the
property
What do you think?
---
