[
https://issues.apache.org/jira/browse/ZOOKEEPER-4912?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Istvan Toth updated ZOOKEEPER-4912:
-----------------------------------
Description:
This is a follow-up on the discussion on the ZOOKEEPER-4415
[PR|https://github.com/apache/zookeeper/pull/1919] .
ZK currently hardcodes the list of ciphers, and needs to add code to handle all
new ciphers and Java TLS changes.
This was originally added as a performance optimization, which is not very
relevant today, and interferes with normal TLS operation.
I propose removing the default cipher logic from X509Util.
Ciphers could still be specified either by the existing config properties, or
via the standard java properties / security config, but would otherwise default
to the JVM defaults, and pick up any changes from new JDKs or security settings.
This could cause performance problems for very old JDK8 JVMs, where the current
behaviour can be restored by explicitly specifying the CBC cipher list, which
should be added to the documentation.
was:
This is a follow-up on the discussion on the ZOOKEEPER-4415
[PR|https://github.com/apache/zookeeper/pull/1919] .
ZK currently hardcodes the list of ciphers, and needs to add code to handle all
new ciphers and Java TLS changes.
This was originally added as a performance optimization, which is not very
relevant today, and interferes with normal TLS operation.
I propose removing the default cipher logic from X509Util.
Ciphers could still be specified either by the existing config properties, or
via the standard java properties / security config, but would otherwise default
to the JVM defaults, and pick up any changes from new JDKs or security settings.
This could cause performance problems for very old JDK8 JVMs, where the current
behaviour can be restored by explicitly specifying the CBC cipher list.
> Remove default TLS cipher overrides
> -----------------------------------
>
> Key: ZOOKEEPER-4912
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4912
> Project: ZooKeeper
> Issue Type: Improvement
> Components: security
> Reporter: Istvan Toth
> Priority: Major
>
> This is a follow-up on the discussion on the ZOOKEEPER-4415
> [PR|https://github.com/apache/zookeeper/pull/1919] .
> ZK currently hardcodes the list of ciphers, and needs to add code to handle
> all new ciphers and Java TLS changes.
> This was originally added as a performance optimization, which is not very
> relevant today, and interferes with normal TLS operation.
> I propose removing the default cipher logic from X509Util.
> Ciphers could still be specified either by the existing config properties, or
> via the standard java properties / security config, but would otherwise
> default to the JVM defaults, and pick up any changes from new JDKs or
> security settings.
> This could cause performance problems for very old JDK8 JVMs, where the
> current behaviour can be restored by explicitly specifying the CBC cipher
> list, which should be added to the documentation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
