Re: [PR] ZOOKEEPER-4940: Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out [zookeeper]

Thu, 17 Jul 2025 15:27:36 -0700 


anmolnar commented on code in PR #2270:
URL: https://github.com/apache/zookeeper/pull/2270#discussion_r2214421475


##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java:
##########
@@ -144,6 +145,33 @@ public SslContext createNettySslContextForServer(ZKConfig 
config, KeyManager key
         }
     }
 
+    private SslContextBuilder handleTcnativeOcspStapling(SslContextBuilder 
builder, ZKConfig config) {
+        SslProvider sslProvider = getSslProvider(config);
+        boolean tcnative = sslProvider == SslProvider.OPENSSL || sslProvider 
== SslProvider.OPENSSL_REFCNT;
+        boolean ocspEnabled = config.getBoolean(getSslOcspEnabledProperty());
+        TriState tcnativeOcspStapling = 
config.getTristate(getSslTcnativeOcspStaplingEnabledProperty());
+
+        if (tcnative && ocspEnabled && tcnativeOcspStapling.isDefault() && 
OpenSsl.isOcspSupported()) {
+            // Maintain old behaviour (mostly, we also check for 
OpenSsl.isOcspSupported())
+            builder.enableOcsp(ocspEnabled);
+        } else if (tcnativeOcspStapling.isTrue()) {
+            if (!tcnative) {
+                // Don't override the explicit setting, let it error out
+                LOG.error("Trying to enable OpenSSL OCSP stapling for 
non-OpenSSL TLS provider. "
+                        + "This is going to fail. Please fix the TLS 
configuration");
+            } else if (!OpenSsl.isOcspSupported()) {
+                LOG.warn("Trying to enable OpenSSL OCSP stapling for OpenSSL 
provider {} which does not support it. "
+                        + "This is either going to be ignored or fail.", 
OpenSsl.versionString());
+            }
+            builder.enableOcsp(true);
+        } else if (tcnativeOcspStapling.isFalse()) {
+            // Disabling OCSP for the builder is always safe.
+            // This is the same as the builder default, effectively a noop.

Review Comment:
   Thanks, I prefer to go with smaller steps.
   
   I don't think you can get rid of the original property entirely, because 
there must be a way to set `pbParams.setRevocationEnabled(true)`, but we can 
discuss that in a different patch. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to