(zookeeper) branch branch-3.9 updated: ZOOKEEPER-4940: Enabling zookeeper.ssl.ocsp with JRE TLS provider err…

Tue, 29 Jul 2025 13:04:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch branch-3.9
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.9 by this push:
     new 099fc1184 ZOOKEEPER-4940: Enabling zookeeper.ssl.ocsp with JRE TLS 
provider err…
099fc1184 is described below

commit 099fc118464c3d644a8117933f62fbd1947a8ab6
Author: Istvan Toth <[email protected]>
AuthorDate: Tue Jul 29 22:04:05 2025 +0200

    ZOOKEEPER-4940: Enabling zookeeper.ssl.ocsp with JRE TLS provider err…
    
    ZOOKEEPER-4940: Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out
    add docs
    add new property for tcnative OCSP setting
    rename property
    factor out the stapling handling code to a new method
    use and honor OpenSSL.isOcspSupported()
    Add more log messages
    Remove comments about BoringSSL not supporting OCSP stapling
    rearrange code to make patch smaller
    add comment for clarification
    remove new property
    Reviewers: anmolnar
    Author: stoty
    Closes #2270 from stoty/ZOOKEEPER-4940
    (cherry picked from commit 9d1d25cd75295b4529ce5348ba0cfce9ef4fefd7)
    Author: stoty
    Closes #2282 from stoty/ZOOKEEPER-4940-3.9
---
 .../java/org/apache/zookeeper/common/ClientX509Util.java | 16 ++++++++++++++--
 .../java/org/apache/zookeeper/common/X509UtilTest.java   | 14 ++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
 
b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
index 7bb453903..588a8828f 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java
@@ -19,6 +19,7 @@
 package org.apache.zookeeper.common;
 
 import io.netty.handler.ssl.DelegatingSslContext;
+import io.netty.handler.ssl.OpenSsl;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslProvider;
@@ -79,7 +80,7 @@ public SslContext createNettySslContextForClient(ZKConfig 
config)
             sslContextBuilder.trustManager(tm);
         }
 
-        
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
+        handleTcnativeOcspStapling(sslContextBuilder, config);
         sslContextBuilder.protocols(getEnabledProtocols(config));
         Iterable<String> enabledCiphers = getCipherSuites(config);
         if (enabledCiphers != null) {
@@ -120,7 +121,7 @@ public SslContext createNettySslContextForServer(ZKConfig 
config, KeyManager key
             sslContextBuilder.trustManager(trustManager);
         }
 
-        
sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty()));
+        handleTcnativeOcspStapling(sslContextBuilder, config);
         sslContextBuilder.protocols(getEnabledProtocols(config));
         
sslContextBuilder.clientAuth(getClientAuth(config).toNettyClientAuth());
         Iterable<String> enabledCiphers = getCipherSuites(config);
@@ -138,6 +139,17 @@ public SslContext createNettySslContextForServer(ZKConfig 
config, KeyManager key
         }
     }
 
+    private SslContextBuilder handleTcnativeOcspStapling(SslContextBuilder 
builder, ZKConfig config) {
+        SslProvider sslProvider = getSslProvider(config);
+        boolean tcnative = sslProvider == SslProvider.OPENSSL || sslProvider 
== SslProvider.OPENSSL_REFCNT;
+        boolean ocspEnabled = config.getBoolean(getSslOcspEnabledProperty());
+
+        if (tcnative && ocspEnabled && OpenSsl.isOcspSupported()) {
+            builder.enableOcsp(ocspEnabled);
+        }
+        return builder;
+    }
+
     private SslContext addHostnameVerification(SslContext sslContext, String 
clientOrServer) {
         return new DelegatingSslContext(sslContext) {
             @Override
diff --git 
a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java 
b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java
index 1218a00de..ce7984734 100644
--- 
a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java
+++ 
b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java
@@ -740,6 +740,20 @@ public void 
testCreateSSLContext_validCustomSSLContextClass(
         assertEquals(SSLContext.getDefault(), sslContext);
     }
 
+    @ParameterizedTest
+    @MethodSource("data")
+    public void testCreateSSLContext_ocspWithJreProvider(
+            X509KeyType caKeyType, X509KeyType certKeyType, String 
keyPassword, Integer paramIndex)
+            throws Exception {
+        init(caKeyType, certKeyType, keyPassword, paramIndex);
+        ZKConfig zkConfig = new ZKConfig();
+        try (ClientX509Util clientX509Util = new ClientX509Util();) {
+            zkConfig.setProperty(clientX509Util.getSslOcspEnabledProperty(), 
"true");
+            // Must not throw IllegalArgumentException
+            clientX509Util.createSSLContext(zkConfig);
+        }
+    }
+
     private static void forceClose(Socket s) {
         if (s == null || s.isClosed()) {
             return;

Reply via email to