[
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991210#comment-15991210
]
ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------
Github user afine commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/184#discussion_r114167751
--- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java ---
@@ -160,43 +213,120 @@ public static X509KeyManager createKeyManager(String
keyStoreLocation, String ke
}
throw new KeyManagerException("Couldn't find X509KeyManager");
- } catch (Exception e) {
- throw new KeyManagerException(e);
+ } catch
(IOException|CertificateException|UnrecoverableKeyException|NoSuchAlgorithmException|KeyStoreException
+ keyManagerCreationException) {
+ throw new KeyManagerException(keyManagerCreationException);
} finally {
if (inputStream != null) {
try {
inputStream.close();
- } catch (IOException e) {}
+ } catch (IOException ioException) {
+ LOG.info("Failed to close key store input stream",
ioException);
+ }
}
}
}
- public static X509TrustManager createTrustManager(String
trustStoreLocation, String trustStorePassword)
+ public static X509TrustManager createTrustManager(String
trustStoreLocation, String trustStorePassword,
+ boolean crlEnabled,
boolean ocspEnabled,
+ final boolean
hostnameVerificationEnabled,
+ final boolean
shouldVerifyClientHostname)
throws TrustManagerException {
FileInputStream inputStream = null;
try {
- char[] trustStorePasswordChars =
trustStorePassword.toCharArray();
File trustStoreFile = new File(trustStoreLocation);
KeyStore ts = KeyStore.getInstance("JKS");
inputStream = new FileInputStream(trustStoreFile);
- ts.load(inputStream, trustStorePasswordChars);
- TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
- tmf.init(ts);
+ if (trustStorePassword != null) {
+ char[] trustStorePasswordChars =
trustStorePassword.toCharArray();
+ ts.load(inputStream, trustStorePasswordChars);
+ } else {
+ ts.load(inputStream, null);
+ }
- for (TrustManager tm : tmf.getTrustManagers()) {
- if (tm instanceof X509TrustManager) {
- return (X509TrustManager) tm;
+ PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts,
new X509CertSelector());
+ if (crlEnabled || ocspEnabled) {
+ pbParams.setRevocationEnabled(true);
+ System.setProperty("com.sun.net.ssl.checkRevocation",
"true");
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+ if (ocspEnabled) {
+ Security.setProperty("ocsp.enable", "true");
+ }
+
+ } else {
+ pbParams.setRevocationEnabled(false);
+ }
+
+ // Revocation checking is only supported with the PKIX
algorithm
+ TrustManagerFactory tmf =
TrustManagerFactory.getInstance("PKIX");
+ tmf.init(new CertPathTrustManagerParameters(pbParams));
+
+ for (final TrustManager tm : tmf.getTrustManagers()) {
+ if (tm instanceof X509ExtendedTrustManager) {
+ return new ZKTrustManager((X509ExtendedTrustManager)
tm, hostnameVerificationEnabled, shouldVerifyClientHostname);
}
}
throw new TrustManagerException("Couldn't find
X509TrustManager");
- } catch (Exception e) {
- throw new TrustManagerException(e);
+ } catch
(IOException|CertificateException|NoSuchAlgorithmException|InvalidAlgorithmParameterException|KeyStoreException
+ trustManagerCreationException) {
+ throw new TrustManagerException(trustManagerCreationException);
} finally {
if (inputStream != null) {
try {
inputStream.close();
- } catch (IOException e) {}
+ } catch (IOException ioException) {
+ LOG.info("failed to close TrustStore input stream",
ioException);
+ }
}
}
}
-}
\ No newline at end of file
+
+ public SSLSocket createSSLSocket() throws X509Exception, IOException {
+ SSLSocket sslSocket = (SSLSocket)
getDefaultSSLContext().getSocketFactory().createSocket();
+ configureSSLSocket(sslSocket);
+
+ return sslSocket;
+ }
+
+ public SSLSocket createSSLSocket(Socket socket) throws X509Exception,
IOException {
+ SSLSocket sslSocket = (SSLSocket)
getDefaultSSLContext().getSocketFactory().createSocket(socket, null,
socket.getPort(), true);
+ configureSSLSocket(sslSocket);
+
+ return sslSocket;
+ }
+
+ private void configureSSLSocket(SSLSocket sslSocket) {
+ SSLParameters sslParameters = sslSocket.getSSLParameters();
+ sslParameters.setNeedClientAuth(true);
--- End diff --
Good catch, this can be removed.
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocket.html#setNeedClientAuth-boolean-
`Configures the socket to require client authentication. This option is
only useful for sockets in the server mode.`
> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
> Key: ZOOKEEPER-236
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, security, server
> Reporter: Benjamin Reed
> Assignee: Abraham Fine
> Labels: ssl
>
> We should have the ability to use SSL to authenticate and encrypt the traffic
> between ZooKeeper servers. For the most part this is a very easy change. We
> would probably only want to support this for TCP based leader elections.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
