[GitHub] zookeeper pull request #681: ZOOKEEPER-3176: Quorum TLS - add SSL config opt...

Fri, 16 Nov 2018 10:18:01 -0800 

GitHub user ivmaykov reopened a pull request:

    https://github.com/apache/zookeeper/pull/681

    ZOOKEEPER-3176: Quorum TLS - add SSL config options

    Add  SSL config options for enabled protocols and client auth mode.
    Improve handling of SSL config options for protocols and cipher suites - 
previously these came from system properties, now they can come from ZKConfig 
which means they are easier to isolate in tests, and now we don't need to parse 
system properties every time we create a secure socket.
    
    Note that this is stacked on top of #678, #679, and #680 and thus includes 
them. Please only consider the ZOOKEEPER-3176 commit when reviewing. Once the 
other PRs are merged upstream, I will rebase this so it only contains one 
commit.
    
    ## Added more options for ssl settings to X509Util and encapsulate them 
better
    - previously, some SSL settings came from a `ZKConfig` and others came from 
global `System.getProperties()`. This made it hard to isolate certain settings 
in tests.
    - now all SSL-related settings come from the `ZKConfig` object used to 
create the SSL context
    - new settings added:
    - `zookeeper.ssl(.quorum).enabledProtocols` - list of enabled protocols. If 
not set, defaults to a single-entry list with the value of 
`zookeeper.ssl(.quorum).protocol`.
    - `zookeeper.ssl(.quorum).clientAuth` - can be "NONE", "WANT", or "NEED". 
This controls whether the server doesn't want / allows / requires the client to 
present an X509 certificate.
    - `zookeeper.ssl(.quorum).handshakeDetectionTimeoutMillis` - timeout for 
the first read of 5 bytes to detect the transport mode (TLS or plaintext) of a 
client connection made to a `UnifiedServerSocket`

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ivmaykov/zookeeper ZOOKEEPER-3176

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/681.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #681
    
----
commit 367bef0980193e2761c7008844c5e9fe029d8a66
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T01:22:24Z

    ZOOKEEPER-3172: Quorum TLS - fix port unification to allow rolling upgrades

commit fd58fa45cdd76c6b4c1bb2f529ee8f6d7fff553d
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T01:54:06Z

    ZOOKEEPER-3174: Quorum TLS - support reloading trust/key store

commit d232235519e2c6e252dcac700dcc05146cea5dbc
Author: Ilya Maykov <ilyam@...>
Date:   2018-10-25T02:12:04Z

    ZOOKEEPER-3176: Quorum TLS - add SSL config options

----


---

Reply via email to