[
https://issues.apache.org/jira/browse/ZOOKEEPER-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17985132#comment-17985132
]
Andor Molnar edited comment on ZOOKEEPER-4940 at 6/21/25 11:19 PM:
-------------------------------------------------------------------
[Even
better|https://netty.io/4.1/api/io/netty/handler/ssl/OpenSsl.html#isOcspSupported--]
{code:java}
if (OpenSsl.isOcspSupported()) {
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
} {code}
which will enable Ocsp stapling if set in the ZooKeeper configuration _and_ the
provider supports it. For the JRE provider one must set it via the above
mentioned properties. I'm not sure if we want to integrate that in ZooKeeper,
we already set some other system properties on the server side.
was (Author: andorm):
[Even
better|https://netty.io/4.1/api/io/netty/handler/ssl/OpenSsl.html#isOcspSupported--]
{code:java}
if (OpenSsl.isOcspSupported()) {
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
} {code}
which will enable Ocsp stapling if set in the ZooKeeper configuration _and_ the
provider supports it. For the JRE provider one must set it via the above
mentioned properties. I'm not sure if we want to integrate that in ZooKeeper,
we already set some other system properties on the server side.
> Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out
> ------------------------------------------------------------
>
> Key: ZOOKEEPER-4940
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.10.0, 3.9.3
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
>
> The problem is that ZK uncoditionally calls
> *io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
> when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does
> not support that for the JRE provider.
> For JRE OCSP is set in the javax.net.ssl.TrustManager object.
> I did not dig deep, but I presume that the OpenSSL provider ignores that,
> hence it needs another property.
> To make this even more intersting, this setting doesn't actually do anything
> at all in Zookeeper.
> Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP for
> boringSSL, it is only supported by tcnative
> for OpenSSL.
> (I guess in theory the consumer could replace the tcnative implementation, in
> which case it would work as intended)
> {noformat}
> [zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0]
> 2025-06-18 04:06:01,013 [myid:] - WARN
> [zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] -
> zookeeper.ssl.keyStore.location not specified
> 2025-06-18 04:06:01,074 [myid:] - WARN
> [zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to
> initialize a channel. Closing: [id: 0x1fac3cf9]
> java.lang.IllegalArgumentException: OCSP is not supported with this
> SslProvider: JDK
> at
> io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
> at
> io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
> at
> org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
> at
> io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
> at
> io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
> at
> io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
> at
> io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
> at
> io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
> at
> io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
> at
> io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
> at
> io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Thread.java:750)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
