[
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15933762#comment-15933762
]
Abraham Fine commented on ZOOKEEPER-236:
----------------------------------------
[~geek101]-
You are correct. Apparently java doesn't do a reverse dns lookup by default. I
had the IP address to be included as a subjectAltName of the client's
certificate, so I didn't notice this failure. So I pushed an update with a
subclass to {{X509ExtendedTrustManager}}:
{code}
for (final TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
return new X509ExtendedTrustManager() {
HostnameChecker hostnameChecker =
HostnameChecker.getInstance(HostnameChecker.TYPE_TLS);
@Override
public X509Certificate[] getAcceptedIssuers() {
return ((X509ExtendedTrustManager)
tm).getAcceptedIssuers();
}
@Override
public void checkClientTrusted(X509Certificate[]
x509Certificates, String s, Socket socket) throws CertificateException {
hostnameChecker.match(socket.getInetAddress().getHostName(),
x509Certificates[0]);
((X509ExtendedTrustManager)
tm).checkClientTrusted(x509Certificates, s, socket);
}
@Override
public void checkServerTrusted(X509Certificate[]
x509Certificates, String s, Socket socket) throws CertificateException {
hostnameChecker.match(((SSLSocket)
socket).getHandshakeSession().getPeerHost(), x509Certificates[0]);
((X509ExtendedTrustManager)
tm).checkServerTrusted(x509Certificates, s, socket);
}
{code}
We do a reverse dns lookup when a client is connecting to the server. This
works. The primary issue I see is that import sun.security.util.HostnameChecker
is proprietary and throws a compile warning.
{code}
[javac]
/Users/abefine/cloudera_code/zookeeper/src/java/main/org/apache/zookeeper/common/X509Util.java:26:
warning: HostnameChecker is internal proprietary API and may be removed in a
future release
[javac] import sun.security.util.HostnameChecker;
{code}
I'm not sure if it is the preference of the community to copy the code
contained in HostnameChecker, add a dependency with similar functionality, or
leave it as is. The issue is described clearly here
https://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/:
{quote}
To make matters worse, the check is not trivial (consider SAN and wildcard
matching) and is implemented in sun.security.util.HostnameChecker (a Sun
internal proprietary API). This leaves the developer in the position of either
depending on an internal API or finding/copying/creating another implementation
of this functionality. For the examples in this article, I have opted for the
first option.
{quote}
Thanks,
Abe
> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
> Key: ZOOKEEPER-236
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, server
> Reporter: Benjamin Reed
> Assignee: Abraham Fine
> Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic
> between ZooKeeper servers. For the most part this is a very easy change. We
> would probably only want to support this for TCP based leader elections.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
