https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
SSL (client-server) has been added in 3.5.1 SSL server-server support is being reviewed on GitHub. Regards, Andor On Thu, Sep 27, 2018 at 3:46 PM, Jan Høydahl <jan....@cominvent.com> wrote: > Hi, > > > if you're prevented from implementing SSL why not use TLSv1.3? > > > I have not found any evidence that Zookeeper server nor (Java) client > supports TLS in version 3.4.13. Please point me to some docs or tutorial. > We don't want to fork Zookeeper to implement this stuff ourselves :) > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > > > 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgai...@hotmail.com>: > > > > > > ________________________________ > > From: Jan Høydahl <jan....@cominvent.com> > > Sent: Thursday, September 27, 2018 5:12 AM > > To: user@zookeeper.apache.org > > Subject: Digest auth with classic TCP transport > > > > Hi > > > > We use ZK 3.4.13, and unfortunately cannot use Netty transport and SSL. > > We plan to use digest authentication and Zookeeper ACL protection. > > > > Question is, since we cannot use SSL, is there some other way to make > sure the user credentials are not sniffed over the network and thus let an > attacker impersonate our application and cange the content in Zookeeper? > Does the Zookeeper client do some smart moves to protect/hash the password > over the network? I suppose the binary transport is easy to decipher for > those who try. > > > > MG>if you're prevented from implementing SSL why not use TLSv1.3? > > MG>with TLSv1.3 you can implement encryption/decryption with crypto > private/public keys and x509 certs > > https://en.wikipedia.org/wiki/Transport_Layer_Security > > Transport Layer Security - Wikipedia<https://en. > wikipedia.org/wiki/Transport_Layer_Security> > > Transport Layer Security (TLS) – and its predecessor, Secure Sockets > Layer (SSL), which is now deprecated by the Internet Engineering Task Force > (IETF) – are cryptographic protocols that provide communications security > over a computer network. Several versions of the protocols find widespread > use in applications such as web browsing, email, instant messaging, and > voice over IP (VoIP). > > en.wikipedia.org > > > > > > MG>path of least resistance is to contact verisign and ask them to > generate keys, certs and allow them to act as CA > > MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla > v60...and some versions of chrome > > MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and > TLS_ECDH_anon key agreement methods MG>do not authenticate the server > > MG>you will want public key size to be min 2048bit to conform to chrome > secure transmission requirements > > MG>securing message is done thru MD5 or SHA but you will need to > incorporate selected algo into > > MG>supported cipher-suite(s) > > https://en.wikipedia.org/wiki/Cipher_suite > > Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite> > > A cipher suite is a set of algorithms that help secure a network > connection that uses Transport Layer Security (TLS) or Secure Socket Layer > (SSL). The set of algorithms that cipher suites usually contain include: a > key exchange algorithm, a bulk encryption algorithm, and a message > authentication code (MAC) algorithm.. The key exchange algorithm is used to > exchange a key between two devices. > > en.wikipedia.org > > > > > > HTH > > Martin > > -- > > Jan Høydahl > > Cominvent AS - www.cominvent.com<http://www.cominvent.com> > > > >
