Re: [PR] ZOOKEEPER-4942: Add option to preserve JVM TLS certification revocation properties [zookeeper]

Tue, 24 Jun 2025 04:12:33 -0700 


anmolnar commented on code in PR #2271:
URL: https://github.com/apache/zookeeper/pull/2271#discussion_r2163676682


##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -548,17 +548,19 @@ public static X509TrustManager createTrustManager(
         try {
             KeyStore ts = loadTrustStore(trustStoreLocation, 
trustStorePassword, trustStoreTypeProp);
             PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new 
X509CertSelector());
-            if (crlEnabled || ocspEnabled) {
-                pbParams.setRevocationEnabled(true);
-                System.setProperty("com.sun.net.ssl.checkRevocation", "true");
-                System.setProperty("com.sun.security.enableCRLDP", "true");
-                if (ocspEnabled) {
-                    Security.setProperty("ocsp.enable", "true");
-                }
-            } else {
-                pbParams.setRevocationEnabled(false);
+            // Leave CRL/OCSP JVM global properties alone both are set to 
"system" (represented as null)
+            if (!crlEnabled.isSystem() || !ocspEnabled.isSystem()) {
+                   if (crlEnabled.isTrue() || ocspEnabled.isTrue()) {
+                       pbParams.setRevocationEnabled(true);
+                       System.setProperty("com.sun.net.ssl.checkRevocation", 
"true");
+                       System.setProperty("com.sun.security.enableCRLDP", 
"true");
+                       if (ocspEnabled.isTrue()) {
+                           Security.setProperty("ocsp.enable", "true");
+                       }
+                   } else {
+                       pbParams.setRevocationEnabled(false);
+                   }

Review Comment:
   Doc:
   > When a PKIXParameters object is created, this flag is set to true. This 
setting reflects the most common strategy for checking revocation, since each 
service provider must support revocation checking to be PKIX compliant. 
Sophisticated applications should set this flag to false when it is not 
practical to use a PKIX service provider's default revocation checking 
mechanism or when an alternative revocation checking mechanism is to be 
substituted (by also calling the addCertPathChecker or setCertPathCheckers 
methods).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to