[
https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15685100#comment-15685100
]
Venkateswararao Jujjuri (JV) commented on BOOKKEEPER-588:
---------------------------------------------------------
1. Yes
2. I am not really sure. [~kishorekasi]?
3. Yeah it is our app interface into bookkeeper client API, just uses BK client
API. Nothing else to read into.
Regarding rolling upgrade:
- Can't we use two ports on Bookie? one for secure connection and other for
non-secure? We can be in this mode until all our clients move to secure and
then re-roll bookies to accept only-secure connection.
- Start TLS can be a way too, but I fail to understand the security aspect of
it. If Client has to request secure connection, what is going to stop a rogue
client establishing connection with Bookie and continue in that way? Is your
plan to make use of Authentication + StatTLS to avoid STRIPTLS attack?
(https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations)
> I miss one piece of the full schema
We will have new certificate available 'some time' before the current
certificate expires. So we are expected to read the new one and establish
connection so we don't start failing when the old one expires. [~kishorekasi]
can you add more details here?
[~eolivelli] what is your approach on certificate expiry boundary? Will you let
client fail and restart? I don't think it is a terrible idea if certs are
expected to last for a while.
> SSL support
> -----------
>
> Key: BOOKKEEPER-588
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588
> Project: Bookkeeper
> Issue Type: Sub-task
> Reporter: Ivan Kelly
> Assignee: Enrico Olivelli
> Fix For: 4.5.0
>
> Attachments: 0001-MutualTLS-for-Bookkeeper.patch,
> 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch
>
>
> SSL support using startTLS
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
