anmolnar commented on code in PR #2292: URL: https://github.com/apache/zookeeper/pull/2292#discussion_r2271183447
########## zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md: ########## @@ -1768,13 +1768,17 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp (Java system properties: **zookeeper.ssl.crl** and **zookeeper.ssl.quorum.crl**) **New in 3.5.5:** Specifies whether Certificate Revocation List is enabled in client and quorum TLS protocols. - Default: false + Default: jvm property "com.sun.net.ssl.checkRevocation" since 3.10.0, false otherwise * *ssl.ocsp* and *ssl.quorum.ocsp* : (Java system properties: **zookeeper.ssl.ocsp** and **zookeeper.ssl.quorum.ocsp**) **New in 3.5.5:** Specifies whether Online Certificate Status Protocol is enabled in client and quorum TLS protocols. - Default: false + **Changed in 3.10.0:** + Before 3.10.0, *ssl.ocsp* and *ssl.quorum.ocsp* implies *ssl.crl* and *ssl.quorum.crl* correspondingly. + After 3.10.0, one has to setup both *ssl.crl* and *ssl.ocsp* (or *ssl.quorum.crl* and *ssl.quorum.ocsp*) + to enable OCSP. This is consistent with jdk's method of [Setting up a Java Client to use Client-Driven OCSP](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html#setting-up-a-java-client-to-use-client-driven-ocsp). Review Comment: Is this the server or the client driven OCSP or both? Because previously we didn't have a separate option, `ssl.ocsp` enabled the server driven and optionally implied the client driven if it was supported by the SSL library being in use. e.g. with OpenSSL we automatically enabled the client driven OCSP. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
