Kezhu Wang created ZOOKEEPER-4958:
-------------------------------------
Summary: "ssl.clientHostnameVerification" is ignored if
"ssl.authProvider" is configured to "x509"
Key: ZOOKEEPER-4958
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4958
Project: ZooKeeper
Issue Type: Bug
Components: server
Affects Versions: 3.9.3, 3.8.4
Reporter: Kezhu Wang
{{NettyServerCnxnFactory}} uses {{TrustManager}} from
{{X509AuthenticationProvider}} if {{ssl.authProvider}} is configured.
But the {{clientHostnameVerificationEnabled}} is explicitly set to {{false}} in
construction.
I confirmed this locally with test.
Server configs:
* zookeeper.ssl.hostnameVerification: true
* zookeeper.ssl.clientHostnameVerification: true
* zookeeper.fips-mode: false
* zookeeper.ssl.authProvider: x509
Related codes:
*
https://github.com/apache/zookeeper/blob/770804bef861bbfc9e150b63774f8557f1f8d995/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L572
*
https://github.com/apache/zookeeper/blob/770804bef861bbfc9e150b63774f8557f1f8d995/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java#L123
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
