Github user afine commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/184#discussion_r114181665
--- Diff: src/java/main/org/apache/zookeeper/server/quorum/Learner.java ---
@@ -254,6 +260,9 @@ protected void connectToLeader(InetSocketAddress addr)
}
sockConnect(sock, addr, Math.min(self.tickTime *
self.syncLimit, remainingInitLimitTime));
+ if (self.isSslQuorum()) {
+ ((SSLSocket) sock).startHandshake();
+ }
sock.setTcpNoDelay(nodelay);
break;
} catch (IOException e) {
--- End diff --
> if we know the SSL cert is invalid there is no point retrying
Not sure I agree. I can imagine cases where the certificate revocation
system is down and comes up at a later point in time.
>it's possible that what finally gets logged does not reflect the cause of
the failure due to how these exceptions are handled
We seem to be logging pretty reasonably here:
https://github.com/apache/zookeeper/blob/branch-3.5/src/java/main/org/apache/zookeeper/server/quorum/Follower.java#L95
In addition, there is some JVM system properties for ssl logging that we
can document to make sure certificate issues are as clear as possible.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
