Re: [PR] ZOOKEEPER-4929: Make c client side cert optional in connecting to tls server [zookeeper]

Mon, 02 Jun 2025 03:44:23 -0700 


eseabrook1 commented on code in PR #2257:
URL: https://github.com/apache/zookeeper/pull/2257#discussion_r2120757755


##########
zookeeper-client/zookeeper-client-c/src/zookeeper.c:
##########
@@ -2769,27 +2769,30 @@ static int init_ssl_for_socket(zsock_t *fd, zhandle_t 
*zh, int fail_on_error) {
             errno = EINVAL;
             return ZBADARGUMENTS;
         }
-        /*CLIENT CA FILE (With Certificate Chain)*/
-        if (SSL_CTX_use_certificate_chain_file(*ctx, fd->cert->cert) != 1) {
-            SSL_CTX_free(*ctx);
-            LOG_ERROR(LOGCALLBACK(zh), "Failed to load client certificate 
chain from %s", fd->cert->cert);
-            errno = EINVAL;
-            return ZBADARGUMENTS;
-        }
-        /*CLIENT PRIVATE KEY*/
-        SSL_CTX_set_default_passwd_cb_userdata(*ctx, fd->cert->passwd);
-        if (SSL_CTX_use_PrivateKey_file(*ctx, fd->cert->key, SSL_FILETYPE_PEM) 
!= 1) {
-            SSL_CTX_free(*ctx);
-            LOG_ERROR(LOGCALLBACK(zh), "Failed to load client private key from 
%s", fd->cert->key);
-            errno = EINVAL;
-            return ZBADARGUMENTS;
-        }
-        /*CHECK*/
-        if (SSL_CTX_check_private_key(*ctx) != 1) {
-            SSL_CTX_free(*ctx);
-            LOG_ERROR(LOGCALLBACK(zh), "SSL_CTX_check_private_key failed");
-            errno = EINVAL;
-            return ZBADARGUMENTS;
+        if (fd->cert->cert != NULL && fd->cert->passwd != NULL && 
fd->cert->key != NULL)

Review Comment:
   I am not particularly familiar with the SSL APIs, but my assumption was that 
we would be in client mode, and still want to validate the server certificate 
so the existing settings are still correct. We only want the TLS handshake to 
continue if ths server certificate is valid
   
   https://docs.openssl.org/master/man3/SSL_CTX_set_verify/



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to