[
https://issues.apache.org/jira/browse/ZOOKEEPER-4941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17982785#comment-17982785
]
Andor Molnar edited comment on ZOOKEEPER-4941 at 6/18/25 6:31 PM:
------------------------------------------------------------------
Thanks [~stoty] for bringing these up. I always thought that revocation
properties are poorly handled in ZooKeeper. Which parameters are we talking
about exactly?
* boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
* boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty);
* boolean sslServerHostnameVerificationEnabled =
isServerHostnameVerificationEnabled(config);
* boolean sslClientHostnameVerificationEnabled =
isClientHostnameVerificationEnabled(config);
* boolean fipsMode = getFipsMode(config);
*Hostname verification* on both client and server side relies on the custom
truststore and the custom ZKTrustManager that we create for it. If we don't
have these, how to set up hostname verification? Is that even possible? If yes,
should we care about that instead of relying on JVM defaults (since we already
use default trust manager)?
*fipsMode* is a ZooKeeper specific setting, if we don't create TrustStore and
ZKTrustManager, we can ignore it.
*Revocation flags* (CRL, OCSP enabled) could be a TriState value as you propose
in your PR to maintain backward compatibility. I'm not sure if disabling them
in ZooKeeper makes too much, so we could have just ignored them if config value
is false.
Btw, what is the use case exactly?
If truststore location is null, ZK won't touch any of the above default
settings in JVM. Why do you want to do that from ZooKeeper?
was (Author: andorm):
Thanks [~stoty] for bringing these up. I always thought that revocation
properties are poorly handled in ZooKeeper. Which parameters are we talking
about exactly?
* boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
* boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty);
* boolean sslServerHostnameVerificationEnabled =
isServerHostnameVerificationEnabled(config);
* boolean sslClientHostnameVerificationEnabled =
isClientHostnameVerificationEnabled(config);
* boolean fipsMode = getFipsMode(config);
*Hostname verification* on both client and server side relies on the custom
truststore and the custom ZKTrustManager that we create for it. If we don't
have these, how to set up hostname verification? Is that even possible? If yes,
should we care about that instead of relying on JVM defaults (since we already
use default trust manager)?
*fipsMode* is a ZooKeeper specific setting, if we don't create TrustStore and
ZKTrustManager, we can ignore it.
*Revocation flags* (CRL, OCSP enabled) could be a TriState value as you propose
in your PR to maintain backward compatibility. I'm not sure if disabling them
in ZooKeeper makes too much, so we could have just ignored them if config value
is false.
> Serveral SSL properties ignored when custom trustore is not specified
> ---------------------------------------------------------------------
>
> Key: ZOOKEEPER-4941
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4941
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Reporter: Istvan Toth
> Priority: Major
>
> CRL, OCSP, Hostname verification and fips are all ignored if there is no
> custom trustore specified.
> https://github.com/apache/zookeeper/blob/e5dd60bf0512ccc1e090d99410a8da48623219da/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L402
> These properties are all meaningful for the default (cacerts) JVM
> certificates.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
