[GitHub] [zookeeper] hanm commented on a change in pull request #944: ZOOKEEPER-3388: Allow client port to support plaintext and encrypted …

2019-06-03 Thread GitBox 
hanm commented on a change in pull request #944: ZOOKEEPER-3388: Allow client 
port to support plaintext and encrypted …
URL: https://github.com/apache/zookeeper/pull/944#discussion_r290112464
 
 

 ##
 File path: 
zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java
 ##
 @@ -63,16 +69,26 @@
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.common.ClientX509Util;
 import org.apache.zookeeper.common.NettyUtils;
+import org.apache.zookeeper.common.SSLContextAndOptions;
 import org.apache.zookeeper.common.X509Exception;
 import org.apache.zookeeper.common.X509Exception.SSLContextException;
 import org.apache.zookeeper.server.auth.ProviderRegistry;
 import org.apache.zookeeper.server.auth.X509AuthenticationProvider;
+import org.apache.zookeeper.server.quorum.QuorumPeerConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public class NettyServerCnxnFactory extends ServerCnxnFactory {
 private static final Logger LOG = 
LoggerFactory.getLogger(NettyServerCnxnFactory.class);
 
+/**
+ * Allow client-server sockets to accept both SSL and plaintext connections
+ */
+public static final String PORT_UNIFICATION_KEY = 
"zookeeper.client.portUnification";
+private final boolean shouldUsePortUnification;
+
+private static final byte TLS_HANDSHAKE_RECORD_TYPE = 0x16;
 
 Review comment:
   might worth to add a comment here on this value (like a link to an RFC).


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [zookeeper] hanm commented on a change in pull request #944: ZOOKEEPER-3388: Allow client port to support plaintext and encrypted …

2019-06-03 Thread GitBox 
hanm commented on a change in pull request #944: ZOOKEEPER-3388: Allow client 
port to support plaintext and encrypted …
URL: https://github.com/apache/zookeeper/pull/944#discussion_r290111854
 
 

 ##
 File path: 
zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java
 ##
 @@ -315,37 +428,47 @@ protected void initChannel(SocketChannel ch) throws 
Exception {
 this.bootstrap.validate();
 }
 
-private synchronized void initSSL(ChannelPipeline p)
-throws X509Exception, KeyManagementException, 
NoSuchAlgorithmException {
+private synchronized void initSSL(ChannelPipeline p, boolean 
supportPlaintext)
+throws X509Exception, KeyManagementException, 
NoSuchAlgorithmException, SSLException {
 String authProviderProp = 
System.getProperty(x509Util.getSslAuthProviderProperty());
-SSLContext sslContext;
 if (authProviderProp == null) {
-sslContext = x509Util.getDefaultSSLContext();
+SSLContextAndOptions sslContextAndOptions = 
x509Util.getDefaultSSLContextAndOptions();
+SslContext nettySslContext = 
sslContextAndOptions.createNettyJdkSslContext(
+sslContextAndOptions.getSSLContext(), false);
+
+if (supportPlaintext) {
+p.addLast("ssl", new DualModeSslHandler(nettySslContext));
+LOG.debug("dual mode Java SSL handler added for channel: {}", 
p.channel());
+} else {
+p.addLast("ssl", 
nettySslContext.newHandler(p.channel().alloc()));
+LOG.debug("Java SSL handler added for channel: {}", 
p.channel());
+}
 } else {
-sslContext = SSLContext.getInstance("TLSv1");
+SSLContext sslContext = 
SSLContext.getInstance(ClientX509Util.DEFAULT_PROTOCOL);
 X509AuthenticationProvider authProvider =
-(X509AuthenticationProvider)ProviderRegistry.getProvider(
+(X509AuthenticationProvider) ProviderRegistry.getProvider(
 
System.getProperty(x509Util.getSslAuthProviderProperty(), "x509"));
 
-if (authProvider == null)
-{
+if (authProvider == null) {
 LOG.error("Auth provider not found: {}", authProviderProp);
 throw new SSLContextException(
 "Could not create SSLContext with specified auth 
provider: " +
-authProviderProp);
+authProviderProp);
 }
 
-sslContext.init(new X509KeyManager[] { 
authProvider.getKeyManager() },
-new X509TrustManager[] { 
authProvider.getTrustManager() },
-null);
+sslContext.init(new X509KeyManager[]{authProvider.getKeyManager()},
+new X509TrustManager[]{authProvider.getTrustManager()},
+null);
+SslContext nettySslContext = 
x509Util.getDefaultSSLContextAndOptions()
+.createNettyJdkSslContext(sslContext,false);
+if (supportPlaintext) {
 
 Review comment:
   This looks like a duplicate of previous `if (supportPlaintext)` on L439, we 
can unify them to avoid code duplication.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services