anmolnar commented on code in PR #2271: URL: https://github.com/apache/zookeeper/pull/2271#discussion_r2163676682
########## zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java: ########## @@ -548,17 +548,19 @@ public static X509TrustManager createTrustManager( try { KeyStore ts = loadTrustStore(trustStoreLocation, trustStorePassword, trustStoreTypeProp); PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector()); - if (crlEnabled || ocspEnabled) { - pbParams.setRevocationEnabled(true); - System.setProperty("com.sun.net.ssl.checkRevocation", "true"); - System.setProperty("com.sun.security.enableCRLDP", "true"); - if (ocspEnabled) { - Security.setProperty("ocsp.enable", "true"); - } - } else { - pbParams.setRevocationEnabled(false); + // Leave CRL/OCSP JVM global properties alone both are set to "system" (represented as null) + if (!crlEnabled.isSystem() || !ocspEnabled.isSystem()) { + if (crlEnabled.isTrue() || ocspEnabled.isTrue()) { + pbParams.setRevocationEnabled(true); + System.setProperty("com.sun.net.ssl.checkRevocation", "true"); + System.setProperty("com.sun.security.enableCRLDP", "true"); + if (ocspEnabled.isTrue()) { + Security.setProperty("ocsp.enable", "true"); + } + } else { + pbParams.setRevocationEnabled(false); + } Review Comment: Doc: > When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted (by also calling the addCertPathChecker or setCertPathCheckers methods). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org