anmolnar commented on code in PR #2009:
URL: https://github.com/apache/zookeeper/pull/2009#discussion_r1230860439
##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -627,6 +631,113 @@ public void enableCertFileReloading() throws IOException {
}
}
+ public SslContext createNettySslContextForClient(ZKConfig config)
+ throws KeyManagerException, TrustManagerException, SSLException {
+ String keyStoreLocation =
config.getProperty(sslKeystoreLocationProperty, "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config,
sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
+ String keyStoreType = config.getProperty(sslKeystoreTypeProperty);
+
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+ if (keyStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+ } else {
+ sslContextBuilder.keyManager(createKeyManager(keyStoreLocation,
keyStorePassword, keyStoreType));
+ }
+
+ String trustStoreLocation =
config.getProperty(sslTruststoreLocationProperty, "");
+ String trustStorePassword =
getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty,
sslTruststorePasswdPathProperty);
+ String trustStoreType = config.getProperty(sslTruststoreTypeProperty);
+
+ boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+ boolean sslOcspEnabled =
config.getBoolean(this.sslOcspEnabledProperty);
+ boolean sslServerHostnameVerificationEnabled =
config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+ boolean sslClientHostnameVerificationEnabled =
sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+
+ if (trustStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslTruststoreLocationProperty());
+ } else {
+
sslContextBuilder.trustManager(createTrustManager(trustStoreLocation,
trustStorePassword, trustStoreType,
+ sslCrlEnabled, sslOcspEnabled,
sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled));
+ }
+
+ sslContextBuilder.enableOcsp(sslOcspEnabled);
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+ sslContextBuilder.ciphers(getCipherSuites(config));
+
+ return sslContextBuilder.build();
+ }
+
+ public SslContext createNettySslContextForServer(ZKConfig config)
Review Comment:
Good catch, I'll add the option to force the provider.
@eolivelli
> Also the tcnative library may not be available on all the platforms
With or without forcing the provider, Netty will always fallback to JDK if
native provider cannot be found. What do you mean by the above statement?
##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -627,6 +631,113 @@ public void enableCertFileReloading() throws IOException {
}
}
+ public SslContext createNettySslContextForClient(ZKConfig config)
+ throws KeyManagerException, TrustManagerException, SSLException {
+ String keyStoreLocation =
config.getProperty(sslKeystoreLocationProperty, "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config,
sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
+ String keyStoreType = config.getProperty(sslKeystoreTypeProperty);
+
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+ if (keyStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+ } else {
+ sslContextBuilder.keyManager(createKeyManager(keyStoreLocation,
keyStorePassword, keyStoreType));
+ }
+
+ String trustStoreLocation =
config.getProperty(sslTruststoreLocationProperty, "");
+ String trustStorePassword =
getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty,
sslTruststorePasswdPathProperty);
+ String trustStoreType = config.getProperty(sslTruststoreTypeProperty);
+
+ boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+ boolean sslOcspEnabled =
config.getBoolean(this.sslOcspEnabledProperty);
+ boolean sslServerHostnameVerificationEnabled =
config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+ boolean sslClientHostnameVerificationEnabled =
sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+
+ if (trustStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslTruststoreLocationProperty());
+ } else {
+
sslContextBuilder.trustManager(createTrustManager(trustStoreLocation,
trustStorePassword, trustStoreType,
+ sslCrlEnabled, sslOcspEnabled,
sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled));
+ }
+
+ sslContextBuilder.enableOcsp(sslOcspEnabled);
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+ sslContextBuilder.ciphers(getCipherSuites(config));
+
+ return sslContextBuilder.build();
+ }
+
+ public SslContext createNettySslContextForServer(ZKConfig config)
Review Comment:
Good catch, I'll add the option to force the provider.
@eolivelli
> Also the tcnative library may not be available on all the platforms
With or without forcing the provider, Netty will always fallback to JDK if
native provider cannot be found. What do you mean by the above statement?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
