(zookeeper) branch branch-3.9 updated: ZOOKEEPER-4790: Make client hostname verification configurable

Fri, 22 Nov 2024 14:32:49 -0800 

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch branch-3.9
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.9 by this push:
     new 5523ef5e2 ZOOKEEPER-4790: Make client hostname verification 
configurable
5523ef5e2 is described below

commit 5523ef5e26d8cb259bed624160c87d7feec345a7
Author: Natalie Klestrup Röijezon <[email protected]>
AuthorDate: Fri Nov 22 23:32:10 2024 +0100

    ZOOKEEPER-4790: Make client hostname verification configurable
    
    Reviewers: anmolnar
    Author: nightkr
    Closes #2173 from nightkr/feature/config-client-hostname-verification
    
    (cherry picked from commit 91ab3f5274658a457f205065233db038ba7e622f)
    Signed-off-by: Andor Molnar <[email protected]>
---
 zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md      | 7 +++++++
 .../src/main/java/org/apache/zookeeper/common/X509Util.java       | 8 +++++++-
 .../src/main/java/org/apache/zookeeper/common/ZKConfig.java       | 1 +
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md 
b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
index 377c2f30a..b53da4596 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
@@ -1750,6 +1750,13 @@ and [SASL authentication for 
ZooKeeper](https://cwiki.apache.org/confluence/disp
     Disabling it only recommended for testing purposes.
     Default: true
 
+* *ssl.clientHostnameVerification* and *ssl.quorum.clientHostnameVerification* 
:
+    (Java system properties: **zookeeper.ssl.clientHostnameVerification** and 
**zookeeper.ssl.quorum.clientHostnameVerification**)
+    **New in 3.9.4:**
+    Specifies whether the client's hostname verification is enabled in client 
and quorum TLS negotiation process.
+    This option requires the corresponding *hostnameVerification* option to be 
`true`, or it will be ignored.
+    Default: true for quorum, false for clients
+
 * *ssl.crl* and *ssl.quorum.crl* :
     (Java system properties: **zookeeper.ssl.crl** and 
**zookeeper.ssl.quorum.crl**)
     **New in 3.5.5:**
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java 
b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
index a7a9fb7a3..dfb3f1191 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -196,6 +196,7 @@ public abstract class X509Util implements Closeable, 
AutoCloseable {
     private final String sslTruststoreTypeProperty = getConfigPrefix() + 
"trustStore.type";
     private final String sslContextSupplierClassProperty = getConfigPrefix() + 
"context.supplier.class";
     private final String sslHostnameVerificationEnabledProperty = 
getConfigPrefix() + "hostnameVerification";
+    private final String sslClientHostnameVerificationEnabledProperty = 
getConfigPrefix() + "clientHostnameVerification";
     private final String sslCrlEnabledProperty = getConfigPrefix() + "crl";
     private final String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
     private final String sslClientAuthProperty = getConfigPrefix() + 
"clientAuth";
@@ -270,6 +271,10 @@ public abstract class X509Util implements Closeable, 
AutoCloseable {
         return sslHostnameVerificationEnabledProperty;
     }
 
+    public String getSslClientHostnameVerificationEnabledProperty() {
+        return sslClientHostnameVerificationEnabledProperty;
+    }
+
     public String getSslCrlEnabledProperty() {
         return sslCrlEnabledProperty;
     }
@@ -305,7 +310,8 @@ public abstract class X509Util implements Closeable, 
AutoCloseable {
     }
 
     public boolean isClientHostnameVerificationEnabled(ZKConfig config) {
-        return isServerHostnameVerificationEnabled(config) && 
shouldVerifyClientHostname();
+        return isServerHostnameVerificationEnabled(config)
+            && 
config.getBoolean(this.getSslClientHostnameVerificationEnabledProperty(), 
shouldVerifyClientHostname());
     }
 
     public SSLContext getDefaultSSLContext() throws 
X509Exception.SSLContextException {
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java 
b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
index de062e747..846a5632e 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
@@ -127,6 +127,7 @@ public class ZKConfig {
         properties.put(x509Util.getSslTruststorePasswdPathProperty(), 
System.getProperty(x509Util.getSslTruststorePasswdPathProperty()));
         properties.put(x509Util.getSslTruststoreTypeProperty(), 
System.getProperty(x509Util.getSslTruststoreTypeProperty()));
         properties.put(x509Util.getSslContextSupplierClassProperty(), 
System.getProperty(x509Util.getSslContextSupplierClassProperty()));
+        
properties.put(x509Util.getSslClientHostnameVerificationEnabledProperty(), 
System.getProperty(x509Util.getSslClientHostnameVerificationEnabledProperty()));
         properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), 
System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
         properties.put(x509Util.getSslCrlEnabledProperty(), 
System.getProperty(x509Util.getSslCrlEnabledProperty()));
         properties.put(x509Util.getSslOcspEnabledProperty(), 
System.getProperty(x509Util.getSslOcspEnabledProperty()));

Reply via email to