eolivelli commented on code in PR #2009:
URL: https://github.com/apache/zookeeper/pull/2009#discussion_r1230932443
##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -627,6 +631,113 @@ public void enableCertFileReloading() throws IOException {
}
}
+ public SslContext createNettySslContextForClient(ZKConfig config)
+ throws KeyManagerException, TrustManagerException, SSLException {
+ String keyStoreLocation =
config.getProperty(sslKeystoreLocationProperty, "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config,
sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
+ String keyStoreType = config.getProperty(sslKeystoreTypeProperty);
+
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+ if (keyStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+ } else {
+ sslContextBuilder.keyManager(createKeyManager(keyStoreLocation,
keyStorePassword, keyStoreType));
+ }
+
+ String trustStoreLocation =
config.getProperty(sslTruststoreLocationProperty, "");
+ String trustStorePassword =
getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty,
sslTruststorePasswdPathProperty);
+ String trustStoreType = config.getProperty(sslTruststoreTypeProperty);
+
+ boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+ boolean sslOcspEnabled =
config.getBoolean(this.sslOcspEnabledProperty);
+ boolean sslServerHostnameVerificationEnabled =
config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+ boolean sslClientHostnameVerificationEnabled =
sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+
+ if (trustStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslTruststoreLocationProperty());
+ } else {
+
sslContextBuilder.trustManager(createTrustManager(trustStoreLocation,
trustStorePassword, trustStoreType,
+ sslCrlEnabled, sslOcspEnabled,
sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled));
+ }
+
+ sslContextBuilder.enableOcsp(sslOcspEnabled);
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+ sslContextBuilder.ciphers(getCipherSuites(config));
+
+ return sslContextBuilder.build();
+ }
+
+ public SslContext createNettySslContextForServer(ZKConfig config)
Review Comment:
Maybe recent versions of tcnative cover all the platforms, I haven't checked.
We should bundle the library at least for linux and it would be really nice
to have it for mac on x86 and arm (M1)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
