[ https://issues.apache.org/jira/browse/ZOOKEEPER-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17981671#comment-17981671 ]
Istvan Toth commented on ZOOKEEPER-4940: ---------------------------------------- FYI [~andor] > Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out > ------------------------------------------------------------ > > Key: ZOOKEEPER-4940 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940 > Project: ZooKeeper > Issue Type: Bug > Components: security > Reporter: Istvan Toth > Assignee: Istvan Toth > Priority: Major > > The problem is that ZK uncoditionally calls > *io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)* > when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does > not support that for the JRE provider. > For JRE OCSP is set in the javax.net.ssl.TrustManager object. > I did not dig deep, but I presume that the OpenSSL provider ignores that, > hence it needs another property. > {noformat} > [zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0] > 2025-06-18 04:06:01,013 [myid:] - WARN > [zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] - > zookeeper.ssl.keyStore.location not specified > 2025-06-18 04:06:01,074 [myid:] - WARN > [zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to > initialize a channel. Closing: [id: 0x1fac3cf9] > java.lang.IllegalArgumentException: OCSP is not supported with this > SslProvider: JDK > at > io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837) > at > io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648) > at > org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93) > at > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449) > at > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438) > at > org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424) > at > io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) > at > io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) > at > io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130) > at > io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558) > at > io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45) > at > io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410) > at > io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064) > at > io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599) > at > io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513) > at > io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428) > at > io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485) > at > io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173) > at > io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166) > at > io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) > at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408) > at > io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) > at > io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) > at > io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) > at java.lang.Thread.run(Thread.java:750) > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)