hanm commented on a change in pull request #944: ZOOKEEPER-3388: Allow client
port to support plaintext and encrypted …
URL: https://github.com/apache/zookeeper/pull/944#discussion_r290111854
##
File path:
zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java
##
@@ -315,37 +428,47 @@ protected void initChannel(SocketChannel ch) throws
Exception {
this.bootstrap.validate();
}
-private synchronized void initSSL(ChannelPipeline p)
-throws X509Exception, KeyManagementException,
NoSuchAlgorithmException {
+private synchronized void initSSL(ChannelPipeline p, boolean
supportPlaintext)
+throws X509Exception, KeyManagementException,
NoSuchAlgorithmException, SSLException {
String authProviderProp =
System.getProperty(x509Util.getSslAuthProviderProperty());
-SSLContext sslContext;
if (authProviderProp == null) {
-sslContext = x509Util.getDefaultSSLContext();
+SSLContextAndOptions sslContextAndOptions =
x509Util.getDefaultSSLContextAndOptions();
+SslContext nettySslContext =
sslContextAndOptions.createNettyJdkSslContext(
+sslContextAndOptions.getSSLContext(), false);
+
+if (supportPlaintext) {
+p.addLast("ssl", new DualModeSslHandler(nettySslContext));
+LOG.debug("dual mode Java SSL handler added for channel: {}",
p.channel());
+} else {
+p.addLast("ssl",
nettySslContext.newHandler(p.channel().alloc()));
+LOG.debug("Java SSL handler added for channel: {}",
p.channel());
+}
} else {
-sslContext = SSLContext.getInstance("TLSv1");
+SSLContext sslContext =
SSLContext.getInstance(ClientX509Util.DEFAULT_PROTOCOL);
X509AuthenticationProvider authProvider =
-(X509AuthenticationProvider)ProviderRegistry.getProvider(
+(X509AuthenticationProvider) ProviderRegistry.getProvider(
System.getProperty(x509Util.getSslAuthProviderProperty(), "x509"));
-if (authProvider == null)
-{
+if (authProvider == null) {
LOG.error("Auth provider not found: {}", authProviderProp);
throw new SSLContextException(
"Could not create SSLContext with specified auth
provider: " +
-authProviderProp);
+authProviderProp);
}
-sslContext.init(new X509KeyManager[] {
authProvider.getKeyManager() },
-new X509TrustManager[] {
authProvider.getTrustManager() },
-null);
+sslContext.init(new X509KeyManager[]{authProvider.getKeyManager()},
+new X509TrustManager[]{authProvider.getTrustManager()},
+null);
+SslContext nettySslContext =
x509Util.getDefaultSSLContextAndOptions()
+.createNettyJdkSslContext(sslContext,false);
+if (supportPlaintext) {
Review comment:
This looks like a duplicate of previous `if (supportPlaintext)` on L439, we
can unify them to avoid code duplication.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services