lizhanhui commented on issue #4527: URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1175865173
> a. Client 发送消息是否使用TLS似乎与 JVM option 中的 -Dtls.enable=true 无关,仅仅决定于代码中的 setUseTLS(true) 验证方法: a1. 当不设置 setUseTLS(true) 时,无论是否设置 -Dtls.enable=true ,producer发送的数据都不是加密的(从tcpdump可以看出) a2. 当设置了 setUseTLS(true) 时,无论是否设置 -Dtls.enable=true,producer发送的数据都是加密的(从tcpdump可以看出) Java option -Dtls.enable is used to provide default value for useTls. See https://github.com/apache/rocketmq/blob/f34c185e05f5b1a1cc372fa72718d6b40ed6e5cc/client/src/main/java/org/apache/rocketmq/client/ClientConfig.java#L63 > 即使客户端设置了 -Dtls.client.authServer=true,但是依然不会验证服务器证书的合法性 验证方法: 修改客户端的配置文件yyy,将tls.client.trustCertPath=/opt/ccc.pem,ccc.pem这个文件并不存在,此时producer发送消息,并没有报错,依然完成了加密通信,所以怀疑并没有通过根证书验证服务器证书的合法性 -Dtls.client.authServer=true is required to force clients to verify server certificate If you have specified tls.client.trustCertPath, clients should verify the server certificate chain. https://github.com/apache/rocketmq/blob/a62b70bc25423c1d7e18043e32af427d29ef9ac4/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java#L116 Let's add an integration test verifying this use case -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
