[ https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15685100#comment-15685100 ]
Venkateswararao Jujjuri (JV) commented on BOOKKEEPER-588: --------------------------------------------------------- 1. Yes 2. I am not really sure. [~kishorekasi]? 3. Yeah it is our app interface into bookkeeper client API, just uses BK client API. Nothing else to read into. Regarding rolling upgrade: - Can't we use two ports on Bookie? one for secure connection and other for non-secure? We can be in this mode until all our clients move to secure and then re-roll bookies to accept only-secure connection. - Start TLS can be a way too, but I fail to understand the security aspect of it. If Client has to request secure connection, what is going to stop a rogue client establishing connection with Bookie and continue in that way? Is your plan to make use of Authentication + StatTLS to avoid STRIPTLS attack? (https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations) > I miss one piece of the full schema We will have new certificate available 'some time' before the current certificate expires. So we are expected to read the new one and establish connection so we don't start failing when the old one expires. [~kishorekasi] can you add more details here? [~eolivelli] what is your approach on certificate expiry boundary? Will you let client fail and restart? I don't think it is a terrible idea if certs are expected to last for a while. > SSL support > ----------- > > Key: BOOKKEEPER-588 > URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588 > Project: Bookkeeper > Issue Type: Sub-task > Reporter: Ivan Kelly > Assignee: Enrico Olivelli > Fix For: 4.5.0 > > Attachments: 0001-MutualTLS-for-Bookkeeper.patch, > 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch > > > SSL support using startTLS -- This message was sent by Atlassian JIRA (v6.3.4#6332)