[
https://issues.apache.org/jira/browse/ZOOKEEPER-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17985131#comment-17985131
]
Andor Molnar commented on ZOOKEEPER-4940:
-----------------------------------------
{quote}Setting the parameter causes the Tcnative provider to request a stapled
OCSP response from the server.
{quote}
Really? We've never added OCSP stapling support to ZooKeeper. Based on the JDK
documentation, it can be enabled on both client and server side by setting
{noformat}
jdk.tls.client.enableStatusRequestExtension=true
jdk.tls.server.enableStatusRequestExtension=true{noformat}
system properties, but ZooKeeper doesn't touch these. Therefore we only do CRL
and client-side OCSP if revocation is enabled.
In which case we might not need to set it in SslContext at all. Have you found
Netty's documentation of this property?
> Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out
> ------------------------------------------------------------
>
> Key: ZOOKEEPER-4940
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.10.0, 3.9.3
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
>
> The problem is that ZK uncoditionally calls
> *io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
> when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does
> not support that for the JRE provider.
> For JRE OCSP is set in the javax.net.ssl.TrustManager object.
> I did not dig deep, but I presume that the OpenSSL provider ignores that,
> hence it needs another property.
> To make this even more intersting, this setting doesn't actually do anything
> at all in Zookeeper.
> Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP for
> boringSSL, it is only supported by tcnative
> for OpenSSL.
> (I guess in theory the consumer could replace the tcnative implementation, in
> which case it would work as intended)
> {noformat}
> [zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0]
> 2025-06-18 04:06:01,013 [myid:] - WARN
> [zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] -
> zookeeper.ssl.keyStore.location not specified
> 2025-06-18 04:06:01,074 [myid:] - WARN
> [zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to
> initialize a channel. Closing: [id: 0x1fac3cf9]
> java.lang.IllegalArgumentException: OCSP is not supported with this
> SslProvider: JDK
> at
> io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
> at
> io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
> at
> org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
> at
> io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
> at
> io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
> at
> io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
> at
> io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
> at
> io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
> at
> io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
> at
> io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
> at
> io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Thread.java:750)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
