stoty commented on PR #2289: URL: https://github.com/apache/zookeeper/pull/2289#issuecomment-3165021402
> I left comment about current approach. > > > As those options are also setting global System/Security properties, we do not have a way to enable revocation checks without clobbering the revocation related global properties. > > How about introducing `ssl.crl.populate-jvm-property` and `ssl.ocsp.populate-jvm-property` ? > > 1. Default to `true` for those in case of backporting. > 2. Default to `false` for future versions. That's totally fine, one of my earlier patches did something similar. It's not really necessary, as simply leaving those at the default "false" settings will leave the System/Security properties alone, but this is the most unambigious solution. > > This way we can solve the problem precisely without introducing `ssl.revocationEnabled` as an replacement of `ssl.crl`. That's not really true. The problem is that we need to work Java's capabilities, which are limited. Apart from the single setRevocationEnabled method (which only exists if we install a custom TrustManager), Java only has global settings for handling revocation config. That's why I think that the proper way to handle this to effectively deprecate the existing crl and ocsp properties (at least for the client), as figuring out how those work and interact is not rather ambigious. Ideally, in the client config both the crl and ocsp settings would default false, while the new ssl.revocationEnabled would default to "java_default". This effectively turns off any ZK specific CRL config. This lets any global JVM settings the user set work as expected. Since Java does provide us with the single setRevocationEnabled knob, we expose that in case the user wants to get fancy, that lets the user control the ZK client setting If we only add the two populate properties, then we are giving the user a puzzle to figure out how to set up revocation. (and also leave them with no way to use the security provider defaults for the custom truststore) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
