[ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15933762#comment-15933762 ]
Abraham Fine commented on ZOOKEEPER-236: ---------------------------------------- [~geek101]- You are correct. Apparently java doesn't do a reverse dns lookup by default. I had the IP address to be included as a subjectAltName of the client's certificate, so I didn't notice this failure. So I pushed an update with a subclass to {{X509ExtendedTrustManager}}: {code} for (final TrustManager tm : tmf.getTrustManagers()) { if (tm instanceof X509TrustManager) { return new X509ExtendedTrustManager() { HostnameChecker hostnameChecker = HostnameChecker.getInstance(HostnameChecker.TYPE_TLS); @Override public X509Certificate[] getAcceptedIssuers() { return ((X509ExtendedTrustManager) tm).getAcceptedIssuers(); } @Override public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException { hostnameChecker.match(socket.getInetAddress().getHostName(), x509Certificates[0]); ((X509ExtendedTrustManager) tm).checkClientTrusted(x509Certificates, s, socket); } @Override public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException { hostnameChecker.match(((SSLSocket) socket).getHandshakeSession().getPeerHost(), x509Certificates[0]); ((X509ExtendedTrustManager) tm).checkServerTrusted(x509Certificates, s, socket); } {code} We do a reverse dns lookup when a client is connecting to the server. This works. The primary issue I see is that import sun.security.util.HostnameChecker is proprietary and throws a compile warning. {code} [javac] /Users/abefine/cloudera_code/zookeeper/src/java/main/org/apache/zookeeper/common/X509Util.java:26: warning: HostnameChecker is internal proprietary API and may be removed in a future release [javac] import sun.security.util.HostnameChecker; {code} I'm not sure if it is the preference of the community to copy the code contained in HostnameChecker, add a dependency with similar functionality, or leave it as is. The issue is described clearly here https://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/: {quote} To make matters worse, the check is not trivial (consider SAN and wildcard matching) and is implemented in sun.security.util.HostnameChecker (a Sun internal proprietary API). This leaves the developer in the position of either depending on an internal API or finding/copying/creating another implementation of this functionality. For the examples in this article, I have opted for the first option. {quote} Thanks, Abe > SSL Support for Atomic Broadcast protocol > ----------------------------------------- > > Key: ZOOKEEPER-236 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236 > Project: ZooKeeper > Issue Type: New Feature > Components: quorum, server > Reporter: Benjamin Reed > Assignee: Abraham Fine > Priority: Minor > > We should have the ability to use SSL to authenticate and encrypt the traffic > between ZooKeeper servers. For the most part this is a very easy change. We > would probably only want to support this for TCP based leader elections. -- This message was sent by Atlassian JIRA (v6.3.15#6346)