Re: [PR] ZOOKEEPER-4955 Add option for enabling/disabling certificate revocation check on custom trustmanagers [zookeeper]

Thu, 07 Aug 2025 07:23:44 -0700 


kezhuw commented on code in PR #2289:
URL: https://github.com/apache/zookeeper/pull/2289#discussion_r2260437454


##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -541,21 +548,32 @@ public static X509TrustManager createTrustManager(
         boolean ocspEnabled,
         final boolean serverHostnameVerificationEnabled,
         final boolean clientHostnameVerificationEnabled,
-        final boolean fipsMode) throws TrustManagerException {
+        final boolean fipsMode,
+        final SslRevocationEnabled revocationEnabled) throws 
TrustManagerException {
         if (trustStorePassword == null) {
             trustStorePassword = "";
         }
         try {
             KeyStore ts = loadTrustStore(trustStoreLocation, 
trustStorePassword, trustStoreTypeProp);
             PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new 
X509CertSelector());
             if (crlEnabled || ocspEnabled) {
-                pbParams.setRevocationEnabled(true);
+                if (revocationEnabled == SslRevocationEnabled.LEGACY) {
+                    pbParams.setRevocationEnabled(true);
+                }
                 System.setProperty("com.sun.net.ssl.checkRevocation", "true");
                 System.setProperty("com.sun.security.enableCRLDP", "true");
                 if (ocspEnabled) {
                     Security.setProperty("ocsp.enable", "true");
                 }
             } else {
+                if (revocationEnabled == SslRevocationEnabled.LEGACY) {
+                    pbParams.setRevocationEnabled(false);
+                }
+            }
+
+            if (revocationEnabled == SslRevocationEnabled.TRUE) {
+                pbParams.setRevocationEnabled(true);
+            } else if (revocationEnabled == SslRevocationEnabled.FALSE) {

Review Comment:
   `revocationEnabled` is default to `true` in java since java-8. In old path, 
it clears `revocationEnabled`.
   
   I don't think it deserves `JAVA_DEFAULT` for a public default. I think we 
could shape the candidates:
   1. `legacy`:  behaves same as old, this should be the default in case of 
backport.
   2. `true` or `false` to enable/disalbe revocation. `true` could be the 
default.
   
   * 
https://devdocs.io/openjdk~8/java/security/cert/pkixparameters#setRevocationEnabled-boolean-
   * 
https://devdocs.io/openjdk~21/java.base/java/security/cert/pkixparameters#setRevocationEnabled(boolean)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to