[GitHub] [zookeeper] eolivelli commented on a diff in pull request #2009: ZOOKEEPER-4622 Add Netty-TcNative OpenSSL Support

Thu, 15 Jun 2023 01:03:33 -0700 


eolivelli commented on code in PR #2009:
URL: https://github.com/apache/zookeeper/pull/2009#discussion_r1230605611


##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -627,6 +631,113 @@ public void enableCertFileReloading() throws IOException {
         }
     }
 
+    public SslContext createNettySslContextForClient(ZKConfig config)
+        throws KeyManagerException, TrustManagerException, SSLException {
+        String keyStoreLocation = 
config.getProperty(sslKeystoreLocationProperty, "");
+        String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, 
sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
+        String keyStoreType = config.getProperty(sslKeystoreTypeProperty);
+
+        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+        if (keyStoreLocation.isEmpty()) {
+            LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+        } else {
+            sslContextBuilder.keyManager(createKeyManager(keyStoreLocation, 
keyStorePassword, keyStoreType));
+        }
+
+        String trustStoreLocation = 
config.getProperty(sslTruststoreLocationProperty, "");
+        String trustStorePassword = 
getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty, 
sslTruststorePasswdPathProperty);
+        String trustStoreType = config.getProperty(sslTruststoreTypeProperty);
+
+        boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+        boolean sslOcspEnabled = 
config.getBoolean(this.sslOcspEnabledProperty);
+        boolean sslServerHostnameVerificationEnabled = 
config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+        boolean sslClientHostnameVerificationEnabled = 
sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+
+        if (trustStoreLocation.isEmpty()) {
+            LOG.warn("{} not specified", getSslTruststoreLocationProperty());
+        } else {
+            
sslContextBuilder.trustManager(createTrustManager(trustStoreLocation, 
trustStorePassword, trustStoreType,
+                sslCrlEnabled, sslOcspEnabled, 
sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled));
+        }
+
+        sslContextBuilder.enableOcsp(sslOcspEnabled);
+        sslContextBuilder.protocols(getEnabledProtocols(config));
+        sslContextBuilder.ciphers(getCipherSuites(config));
+
+        return sslContextBuilder.build();
+    }
+
+    public SslContext createNettySslContextForServer(ZKConfig config)

Review Comment:
   Also the tcnative library may not be available on all the platforms 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to