Istvan Toth created ZOOKEEPER-4912:
--------------------------------------
Summary: Remove default TLS cipher overrides
Key: ZOOKEEPER-4912
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4912
Project: ZooKeeper
Issue Type: Improvement
Components: security
Reporter: Istvan Toth
This is a follow-up on the discussion on the ZOOKEEPER-4415
[PR|https://github.com/apache/zookeeper/pull/1919] .
ZK currently hardcodes the list of ciphers, and needs to add code to handle all
new ciphers and Java TLS changes.
This was originally added as a performance optimization, which is not very
relevant today, and interferes with normal TLS operation.
I propose removing the default cipher logic from X509Util.
Ciphers could still be specified either by the existing config properties, or
via the standard java properties / security config, but would otherwise default
to the JVM defaults, and pick up any changes from new JDKs or security settings.
This could cause performance problems for very old JDK8 JVMs, where the current
behaviour can be restored by explicitly specifying the CBC cipher list.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
