[jira] [Updated] (ZOOKEEPER-4955) Fix intererence with jvm ssl properties for ssl.crl and ssl.ocsp

Mon, 11 Aug 2025 01:16:19 -0700 


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Istvan Toth updated ZOOKEEPER-4955:
-----------------------------------
    Description: 
EDIT:

The original proposal was rejected, and a different solution is implemented 
which mimics the JVM internal logic.


Zookeeper currenlty automatically calls 
PKIXBuilderParameters#setRevocationEnabled() based on the values of the 
*ssl.(quorum.)ocsp* and ssl(.quorum).crl config options.

This means that if we don't set the above options, then ZK will explicitly 
disable revocation checks. As those options are also setting global 
System/Security properties, we do not have a way to enable revocation checks 
without clobbering the revocation related global properties.

Adding a new property will let ZK enable/disable revocation checks without 
clobbering the JVM global properties.

  was:
Zookeeper currenlty automatically calls 
PKIXBuilderParameters#setRevocationEnabled() based on the values of the 
*ssl.(quorum.)ocsp* and ssl(.quorum).crl config options.

This means that if we don't set the above options, then ZK will explicitly 
disable revocation checks. As those options are also setting global 
System/Security properties, we do not have a way to enable revocation checks 
without clobbering the revocation related global properties.

Adding a new property will let ZK enable/disable revocation checks without 
clobbering the JVM global properties.


> Fix intererence with jvm ssl properties for ssl.crl and ssl.ocsp
> ----------------------------------------------------------------
>
>                 Key: ZOOKEEPER-4955
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4955
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: security
>            Reporter: Istvan Toth
>            Assignee: Istvan Toth
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> EDIT:
> The original proposal was rejected, and a different solution is implemented 
> which mimics the JVM internal logic.
> Zookeeper currenlty automatically calls 
> PKIXBuilderParameters#setRevocationEnabled() based on the values of the 
> *ssl.(quorum.)ocsp* and ssl(.quorum).crl config options.
> This means that if we don't set the above options, then ZK will explicitly 
> disable revocation checks. As those options are also setting global 
> System/Security properties, we do not have a way to enable revocation checks 
> without clobbering the revocation related global properties.
> Adding a new property will let ZK enable/disable revocation checks without 
> clobbering the JVM global properties.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to