[GitHub] [zookeeper] hyperxpro commented on a diff in pull request #2009: ZOOKEEPER-4622 Add Netty-TcNative OpenSSL Support

Thu, 15 Jun 2023 00:22:27 -0700 


hyperxpro commented on code in PR #2009:
URL: https://github.com/apache/zookeeper/pull/2009#discussion_r1230553729


##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -627,6 +631,113 @@ public void enableCertFileReloading() throws IOException {
         }
     }
 
+    public SslContext createNettySslContextForClient(ZKConfig config)
+        throws KeyManagerException, TrustManagerException, SSLException {
+        String keyStoreLocation = 
config.getProperty(sslKeystoreLocationProperty, "");
+        String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, 
sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
+        String keyStoreType = config.getProperty(sslKeystoreTypeProperty);
+
+        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+        if (keyStoreLocation.isEmpty()) {
+            LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+        } else {
+            sslContextBuilder.keyManager(createKeyManager(keyStoreLocation, 
keyStorePassword, keyStoreType));
+        }
+
+        String trustStoreLocation = 
config.getProperty(sslTruststoreLocationProperty, "");
+        String trustStorePassword = 
getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty, 
sslTruststorePasswdPathProperty);
+        String trustStoreType = config.getProperty(sslTruststoreTypeProperty);
+
+        boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+        boolean sslOcspEnabled = 
config.getBoolean(this.sslOcspEnabledProperty);
+        boolean sslServerHostnameVerificationEnabled = 
config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+        boolean sslClientHostnameVerificationEnabled = 
sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+
+        if (trustStoreLocation.isEmpty()) {
+            LOG.warn("{} not specified", getSslTruststoreLocationProperty());
+        } else {
+            
sslContextBuilder.trustManager(createTrustManager(trustStoreLocation, 
trustStorePassword, trustStoreType,
+                sslCrlEnabled, sslOcspEnabled, 
sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled));
+        }
+
+        sslContextBuilder.enableOcsp(sslOcspEnabled);
+        sslContextBuilder.protocols(getEnabledProtocols(config));
+        sslContextBuilder.ciphers(getCipherSuites(config));
+
+        return sslContextBuilder.build();
+    }
+
+    public SslContext createNettySslContextForServer(ZKConfig config)

Review Comment:
   Give the option to force SSL providers like JDK or OpenSSL. There can be 
cases when the user has OpenSSL configured but still wants to use the JDK 
provider.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to