[jira] [Comment Edited] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol

Fri, 17 Mar 2017 15:21:09 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15930825#comment-15930825
 ] 

Abraham Fine edited comment on ZOOKEEPER-236 at 3/17/17 10:20 PM:
------------------------------------------------------------------

Hi [~geek101]-

bq. Regarding host verification one other way to go is to follow this: 
X509ExtendedTrustManager mentions about where to plugin host verification , it 
specifically quotes:
Let me know if this is what you had in mind. We do not need to subclass 
`X509ExtendedTrustManager` ourselves to get this to work, since the 
`X509TrustManagerImpl` object generated by the PKIX trustmanager factory (and 
x509 as well I think) extends `X509ExtendedTrustManager` already.  If endpoint 
verification is set on the sslParameters of the sslSocket we get endpoint 
verification for free in `X509ExtendedTrustManager`. The issue is that we are 
limited to the built in implementations of endpoint verification but I think 
the "https" algorithm is sufficient for our use case.

I implemented this here: 
https://github.com/apache/zookeeper/pull/184/commits/bebe09660f652f243e746905460ecbdffe2d155e


was (Author: abrahamfine):
Hi [~geek101]-

bq. Regarding host verification one other way to go is to follow this: 
X509ExtendedTrustManager mentions about where to plugin host verification , it 
specifically quotes:
Let me know if this is what you had in mind. We do not need to subclass 
`X509ExtendedTrustManager` ourselves to get this to work, since the 
`X509TrustManagerImpl` object generated by the PKIX trustmanager factory (and 
x509 as well I think) extends `X509ExtendedTrustManager` already.  If endpoint 
verification is set on the sslParameters of the sslSocket we get endpoint 
verification for free in `X509ExtendedTrustManager`. The issue is that we are 
limited to the built in implementations of endpoint verification but I think 
the "https" algorithm is sufficient for our use case.  

> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic 
> between ZooKeeper servers. For the most part this is a very easy change. We 
> would probably only want to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to