[jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol

Mon, 01 May 2017 11:08:19 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991205#comment-15991205
 ] 

ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------

Github user hanm commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r114167558
  
    --- Diff: 
src/java/main/org/apache/zookeeper/server/quorum/QuorumCnxManager.java ---
    @@ -438,9 +447,18 @@ synchronized private boolean connectOne(long sid, 
InetSocketAddress electionAddr
             Socket sock = null;
             try {
                  LOG.debug("Opening channel to server " + sid);
    -             sock = new Socket();
    -             setSockOpts(sock);
    -             sock.connect(electionAddr, cnxTO);
    +             if (self.isSslQuorum()) {
    +                 SSLSocket sslSock = x509Util.createSSLSocket();
    +                 setSockOpts(sslSock);
    +                 sslSock.connect(electionAddr, cnxTO);
    +                 sslSock.startHandshake();
    --- End diff --
    
    This is a synchronous call and will block connectOne until the hand shake 
finishes. Current cnx manager does blocking IO when handling connections so 
while hand shake is going on other peers will not be able to connect to this 
server. This might not be a big problem with carefully tuned initLimit / 
syncLimit, but I thought we might want mention this somewhere in doc or wiki.
    
    An alternative would be making hand shake async so cnx manager does not 
block, but I am currently leaning towards not do this and instead use 
ZOOKEEPER-900/901 to fix the root cause.


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, security, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>              Labels: ssl
>
> We should have the ability to use SSL to authenticate and encrypt the traffic 
> between ZooKeeper servers. For the most part this is a very easy change. We 
> would probably only want to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to