[jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol

Fri, 31 Mar 2017 15:51:07 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15951745#comment-15951745
 ] 

ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------

Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r109263498
  
    --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
    @@ -214,45 +237,56 @@ public static X509TrustManager 
createTrustManager(String trustStoreLocation, Str
                 tmf.init(new CertPathTrustManagerParameters(pbParams));
     
                 for (final TrustManager tm : tmf.getTrustManagers()) {
    -                if (tm instanceof X509TrustManager) {
    +                if (tm instanceof X509ExtendedTrustManager) {
                         return new X509ExtendedTrustManager() {
    -                        HostnameChecker hostnameChecker = 
HostnameChecker.getInstance(HostnameChecker.TYPE_TLS);
    +                        X509ExtendedTrustManager x509ExtendedTrustManager 
= (X509ExtendedTrustManager) tm;
    +                        HostnameVerifier hostnameVerifier = new 
DefaultHostnameVerifier();
     
                             @Override
                             public X509Certificate[] getAcceptedIssuers() {
    -                            return ((X509ExtendedTrustManager) 
tm).getAcceptedIssuers();
    +                            return 
x509ExtendedTrustManager.getAcceptedIssuers();
                             }
     
                             @Override
    -                        public void checkClientTrusted(X509Certificate[] 
x509Certificates, String s, Socket socket) throws CertificateException {
    -                            
hostnameChecker.match(socket.getInetAddress().getHostName(), 
x509Certificates[0]);
    -                            ((X509ExtendedTrustManager) 
tm).checkClientTrusted(x509Certificates, s, socket);
    +                        public void checkClientTrusted(X509Certificate[] 
chain, String authType, Socket socket) throws CertificateException {
    +                            if (hostnameVerificationEnabled && 
shouldVerifyClientHostname) {
    +                                
hostnameVerifier.verify(socket.getInetAddress().getHostName(), ((SSLSocket) 
socket).getSession());
    --- End diff --
    
    Yes, the reverse dns lookup is done on the performHostnameVerification... 
line


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic 
> between ZooKeeper servers. For the most part this is a very easy change. We 
> would probably only want to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to