[ https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009816#comment-17009816 ]
Mate Szalay-Beko commented on ZOOKEEPER-3482: --------------------------------------------- update: I managed to create some working unit tests on the master branch. I tested SASL Digest + SSL, and also SASL Kerberos + SSL. So it seems working on the master branch (although due to some conflict, it requires more work to make the tests work on the branch 3.5). the PR for the master branch: https://github.com/apache/zookeeper/pull/1204 I want to work now on the 3.5 branch to see if the problem exists there or not. I also want to reproduce this scenario on a real kerberized server. > SASL (Kerberos) Authentication with SSL for clients and Quorum > -------------------------------------------------------------- > > Key: ZOOKEEPER-3482 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.5 > Reporter: Jörn Franke > Assignee: Mate Szalay-Beko > Priority: Major > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > It seems that Kerberos authentication does not work for encrypted connections > of clients and quorum. It seems that only X509 Authentication works. > What I would have expected: > ClientSecurePort is defined > A keystore and truststore are deployed on the ZooKeeper servers > Only a truststore is deployed with the client (to validate the CA of the > server certificate) > Client can authenticate with SASL (Kerberos) > Similarly, it should work for the Quorum SSL connection. > Is there a way to configure this in ZooKeeper? > > Note: Kerberos Authentication for SSL encrypted connection should be used > instead of X509 authentication for this case and not in addition. However, if > it only works in 3.5.5 in addition then I would be interested and willing to > test it. -- This message was sent by Atlassian Jira (v8.3.4#803005)