[ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15951745#comment-15951745 ]
ASF GitHub Bot commented on ZOOKEEPER-236: ------------------------------------------ Github user afine commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/184#discussion_r109263498 --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java --- @@ -214,45 +237,56 @@ public static X509TrustManager createTrustManager(String trustStoreLocation, Str tmf.init(new CertPathTrustManagerParameters(pbParams)); for (final TrustManager tm : tmf.getTrustManagers()) { - if (tm instanceof X509TrustManager) { + if (tm instanceof X509ExtendedTrustManager) { return new X509ExtendedTrustManager() { - HostnameChecker hostnameChecker = HostnameChecker.getInstance(HostnameChecker.TYPE_TLS); + X509ExtendedTrustManager x509ExtendedTrustManager = (X509ExtendedTrustManager) tm; + HostnameVerifier hostnameVerifier = new DefaultHostnameVerifier(); @Override public X509Certificate[] getAcceptedIssuers() { - return ((X509ExtendedTrustManager) tm).getAcceptedIssuers(); + return x509ExtendedTrustManager.getAcceptedIssuers(); } @Override - public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException { - hostnameChecker.match(socket.getInetAddress().getHostName(), x509Certificates[0]); - ((X509ExtendedTrustManager) tm).checkClientTrusted(x509Certificates, s, socket); + public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + if (hostnameVerificationEnabled && shouldVerifyClientHostname) { + hostnameVerifier.verify(socket.getInetAddress().getHostName(), ((SSLSocket) socket).getSession()); --- End diff -- Yes, the reverse dns lookup is done on the performHostnameVerification... line > SSL Support for Atomic Broadcast protocol > ----------------------------------------- > > Key: ZOOKEEPER-236 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236 > Project: ZooKeeper > Issue Type: New Feature > Components: quorum, server > Reporter: Benjamin Reed > Assignee: Abraham Fine > Priority: Minor > > We should have the ability to use SSL to authenticate and encrypt the traffic > between ZooKeeper servers. For the most part this is a very easy change. We > would probably only want to support this for TCP based leader elections. -- This message was sent by Atlassian JIRA (v6.3.15#6346)