stoty commented on PR #2277:
URL: https://github.com/apache/zookeeper/pull/2277#issuecomment-3046141742

   > I'm sorry @stoty , but this is the 5th patch that you create on this topic 
and it's getting impossible for me to follow. I think it would be beneficial to 
discuss and address the issues separately. I don't really like "clean up" style 
patches, especially when there're significant changes in the logic. This is not 
cleaning up.
   > 
   > So, I can identify the following issues:
   > 
   > * setting OCSP/CRL Java properties explicitly to "true" on the client side 
while we want to follow system default. I don't want to change this behaviour 
on the server side at all. This is strictly a client side improvement.
   
   Mostly.
   We can discuss the implementation details in the separate patch I'm going to 
open.
   
   As for "this is strictly a client side improvement" : This is only really a 
problem on the client side.
   As everything is backwards compatible, I would prefer to also make these 
changes on the server side, as the TLS code is structured so that it's harder 
to make client side only changes than to make the same changes on the server 
side.
   
   > * setting OCSP stapling in OpenSSL provider only. There should be a way to 
check availability in Netty for this rather than relying on enum values. How 
about using `OpenSsl.isAvailable()` and `OpenSsl.isOcspSupported()` flags 
together?
   
   Yes, that's ZOOKEEPER-4940. However, OpenSsl.is* is NOT helpful here.
   We don't care whether OpenSSL is loaded or not, or what it supports.
   None of that matters if the SSL provider is set to JRE, and tcnative is 
never used.
   
   Please see the reopened #2270 for ZOOKEEPER-4940 for the standalone patch.
   
   > * using built-in hostname verification even if Fips style is disabled and 
we don't have trustStore defined
   
   Check
   
   > 
   > Is the above accurate?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to