Github user ivmaykov commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/184#discussion_r195517786 --- Diff: src/java/main/org/apache/zookeeper/common/X509Util.java --- @@ -18,64 +18,119 @@ package org.apache.zookeeper.common; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLServerSocket; +import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509KeyManager; import javax.net.ssl.X509TrustManager; import java.io.File; import java.io.FileInputStream; import java.io.IOException; +import java.net.Socket; +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyManagementException; import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.X509CertSelector; +import java.util.Arrays; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import static org.apache.zookeeper.common.X509Exception.KeyManagerException; -import static org.apache.zookeeper.common.X509Exception.SSLContextException; -import static org.apache.zookeeper.common.X509Exception.TrustManagerException; +import org.apache.zookeeper.common.X509Exception.KeyManagerException; +import org.apache.zookeeper.common.X509Exception.SSLContextException; +import org.apache.zookeeper.common.X509Exception.TrustManagerException; /** * Utility code for X509 handling */ -public class X509Util { +public abstract class X509Util { private static final Logger LOG = LoggerFactory.getLogger(X509Util.class); - /** - * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_LOCATION} - * instead. - */ - @Deprecated - public static final String SSL_KEYSTORE_LOCATION = "zookeeper.ssl.keyStore.location"; - /** - * @deprecated Use {@link ZKConfig#SSL_KEYSTORE_PASSWD} - * instead. - */ - @Deprecated - public static final String SSL_KEYSTORE_PASSWD = "zookeeper.ssl.keyStore.password"; - /** - * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_LOCATION} - * instead. - */ - @Deprecated - public static final String SSL_TRUSTSTORE_LOCATION = "zookeeper.ssl.trustStore.location"; - /** - * @deprecated Use {@link ZKConfig#SSL_TRUSTSTORE_PASSWD} - * instead. - */ - @Deprecated - public static final String SSL_TRUSTSTORE_PASSWD = "zookeeper.ssl.trustStore.password"; - /** - * @deprecated Use {@link ZKConfig#SSL_AUTHPROVIDER} - * instead. - */ - @Deprecated - public static final String SSL_AUTHPROVIDER = "zookeeper.ssl.authProvider"; - - public static SSLContext createSSLContext() throws SSLContextException { - /** + static final String DEFAULT_PROTOCOL = "TLSv1.2"; + + private String sslProtocolProperty = getConfigPrefix() + "protocol"; + private String cipherSuitesProperty = getConfigPrefix() + "ciphersuites"; + private String sslKeystoreLocationProperty = getConfigPrefix() + "keyStore.location"; + private String sslKeystorePasswdProperty = getConfigPrefix() + "keyStore.password"; + private String sslTruststoreLocationProperty = getConfigPrefix() + "trustStore.location"; + private String sslTruststorePasswdProperty = getConfigPrefix() + "trustStore.password"; + private String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification"; + private String sslCrlEnabledProperty = getConfigPrefix() + "crl"; + private String sslOcspEnabledProperty = getConfigPrefix() + "ocsp"; + + private String[] cipherSuites; + + private volatile SSLContext defaultSSLContext; + + public X509Util() { + String cipherSuitesInput = System.getProperty(cipherSuitesProperty); + if (cipherSuitesInput == null) { + cipherSuites = null; + } else { + cipherSuites = cipherSuitesInput.split(","); + } + } + + protected abstract String getConfigPrefix(); + protected abstract boolean shouldVerifyClientHostname(); + + public String getSslProtocolProperty() { + return sslProtocolProperty; + } + + public String getCipherSuitesProperty() { + return cipherSuitesProperty; + } + + public String getSslKeystoreLocationProperty() { + return sslKeystoreLocationProperty; + } + + public String getSslKeystorePasswdProperty() { + return sslKeystorePasswdProperty; + } + + public String getSslTruststoreLocationProperty() { + return sslTruststoreLocationProperty; + } + + public String getSslTruststorePasswdProperty() { + return sslTruststorePasswdProperty; + } + + public String getSslHostnameVerificationEnabledProperty() { + return sslHostnameVerificationEnabledProperty; + } + public String getSslCrlEnabledProperty() { + return sslCrlEnabledProperty; + } + + public String getSslOcspEnabledProperty() { + return sslOcspEnabledProperty; + } + + public synchronized SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException { --- End diff -- Still need to remove `synchronized` here.
---