kezhuw commented on code in PR #2292: URL: https://github.com/apache/zookeeper/pull/2292#discussion_r2272053667
########## zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md: ########## @@ -1768,13 +1768,17 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp (Java system properties: **zookeeper.ssl.crl** and **zookeeper.ssl.quorum.crl**) **New in 3.5.5:** Specifies whether Certificate Revocation List is enabled in client and quorum TLS protocols. - Default: false + Default: jvm property "com.sun.net.ssl.checkRevocation" since 3.10.0, false otherwise * *ssl.ocsp* and *ssl.quorum.ocsp* : (Java system properties: **zookeeper.ssl.ocsp** and **zookeeper.ssl.quorum.ocsp**) **New in 3.5.5:** Specifies whether Online Certificate Status Protocol is enabled in client and quorum TLS protocols. - Default: false + **Changed in 3.10.0:** + Before 3.10.0, *ssl.ocsp* and *ssl.quorum.ocsp* implies *ssl.crl* and *ssl.quorum.crl* correspondingly. + After 3.10.0, one has to setup both *ssl.crl* and *ssl.ocsp* (or *ssl.quorum.crl* and *ssl.quorum.ocsp*) + to enable OCSP. This is consistent with jdk's method of [Setting up a Java Client to use Client-Driven OCSP](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html#setting-up-a-java-client-to-use-client-driven-ocsp). Review Comment: I was somewhat confused by the words "client driven" and "server driven". From my understanding, CRLDP/OCSP is a way to verify **peer**'s certificate using **peer** certificate's crldp and ocsp responder. Apply this to ZooKeeper world: 1. From client side(i.e. `ZooKeeper`), it will verify server's certificate using crl when crl is enabled. For a successful verification, the server cert has to be generated with crldp/ocsp and not revoked. 2. From server side(i.e. `ZooKeeperServer`), it will verify client's certificate using crl when crl is enabled. For a successful verification, the client cert has to be generated with crldp/ocsp and not revoked. So the verification happens on the side which crl is enabled. If client and server are running in different jvms, then everything is ok. Enabling crl solely in client side will not forbid revoked client connecting to valid server, and vice verse. If client and server are running in same jvm, then it is indistinguishable of the purpose of "ssl.crl"/"ssl.ocsp". This is why I have to code `client1Config.setProperty("zookeeper.ssl.crl", "false");` in tests to disabble client side crl. https://github.com/kezhuw/zookeeper/blob/ZOOKEEPER-4955-fix-interference-with-jvm-properties/zookeeper-server/src/test/java/org/apache/zookeeper/server/ClientSSLRevocationTest.java#L512-L513 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
