[
https://issues.apache.org/jira/browse/ZOOKEEPER-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kezhu Wang resolved ZOOKEEPER-4958.
-----------------------------------
Fix Version/s: 3.10.0
3.9.5
Resolution: Fixed
Issue resolved by pull request 2303
[https://github.com/apache/zookeeper/pull/2303]
> "ssl.clientHostnameVerification" is ignored if "ssl.authProvider" is
> configured to "x509"
> -----------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4958
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4958
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.8.4, 3.9.3
> Reporter: Kezhu Wang
> Assignee: Kezhu Wang
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.10.0, 3.9.5
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> {{NettyServerCnxnFactory}} uses {{TrustManager}} from
> {{X509AuthenticationProvider}} if {{ssl.authProvider}} is configured.
> But the {{clientHostnameVerificationEnabled}} is explicitly set to {{false}}
> in construction.
> I confirmed this locally with test.
> Server configs:
> * zookeeper.ssl.hostnameVerification: true
> * zookeeper.ssl.clientHostnameVerification: true
> * zookeeper.fips-mode: false
> * zookeeper.ssl.authProvider: x509
> Related codes:
> *
> https://github.com/apache/zookeeper/blob/770804bef861bbfc9e150b63774f8557f1f8d995/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L572
> *
> https://github.com/apache/zookeeper/blob/770804bef861bbfc9e150b63774f8557f1f8d995/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java#L123
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
