[
https://issues.apache.org/jira/browse/ZOOKEEPER-4941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18002701#comment-18002701
]
Istvan Toth commented on ZOOKEEPER-4941:
----------------------------------------
We have discuessed this offline, and possibly in other tickets, but I will give
quick summary here as well.
- The listed options not having an effect if truststore is not set is
acceptable, but that should be documented and maybe we should emit warnings
when they have no effect.
- You have also added a different hostname verification mechanism in
ZOOKEEPER-4622 , that can work even without a custom truststore.
> Serveral SSL properties ignored when custom trustore is not specified
> ---------------------------------------------------------------------
>
> Key: ZOOKEEPER-4941
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4941
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Reporter: Istvan Toth
> Priority: Major
>
> CRL, OCSP, Hostname verification and fips are all ignored if there is no
> custom trustore specified.
> https://github.com/apache/zookeeper/blob/e5dd60bf0512ccc1e090d99410a8da48623219da/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L402
> These properties are all meaningful for the default (cacerts) JVM
> certificates.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
