[
https://issues.apache.org/jira/browse/ZOOKEEPER-4912?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated ZOOKEEPER-4912:
--------------------------------------
Labels: pull-request-available (was: )
> Remove default TLS cipher overrides
> -----------------------------------
>
> Key: ZOOKEEPER-4912
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4912
> Project: ZooKeeper
> Issue Type: Improvement
> Components: security
> Reporter: Istvan Toth
> Priority: Major
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This is a follow-up on the discussion on the ZOOKEEPER-4415
> [PR|https://github.com/apache/zookeeper/pull/1919] .
> ZK currently hardcodes the list of ciphers, and needs to add code to handle
> all new ciphers and Java TLS changes.
> This was originally added as a performance optimization, which is not very
> relevant today, and interferes with normal TLS operation.
> I propose removing the default cipher logic from X509Util.
> Ciphers could still be specified either by the existing config properties, or
> via the standard java properties / security config, but would otherwise
> default to the JVM defaults, and pick up any changes from new JDKs or
> security settings.
> This could cause performance problems for very old JDK8 JVMs, where the
> current behaviour can be restored by explicitly specifying the CBC cipher
> list, which should be added to the documentation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
