eolivelli commented on code in PR #2015: URL: https://github.com/apache/zookeeper/pull/2015#discussion_r1234484138
########## zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md: ########## @@ -1834,6 +1834,14 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp This parameter has no effect, unless you enable the MultiAddress feature by setting *multiAddress.enabled=true*. +* *fips-mode* : + (Java system property: **zookeeper.fips-mode**) + **New in 3.8.2:** + Enable FIPS compatibility mode in ZooKeeper. If enabled, the custom trust manager (`ZKTrustManager`) that is used for + hostname verification will be disabled in order to comply with FIPS requirements. As a consequence, hostname verification is not + available in the Quorum protocol, but still can be set in client-server communication. Default: **true** (3.9.0+), Review Comment: This sentence looks scary: aren't we really validating dns hostnames? My understanding was that we enabled the https validation in Netty. I wonder if FIPS may allow that hostname verification is disabled. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
