anmolnar commented on code in PR #2015: URL: https://github.com/apache/zookeeper/pull/2015#discussion_r1234485053
########## zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md: ########## @@ -1834,6 +1834,14 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp This parameter has no effect, unless you enable the MultiAddress feature by setting *multiAddress.enabled=true*. +* *fips-mode* : + (Java system property: **zookeeper.fips-mode**) + **New in 3.8.2:** + Enable FIPS compatibility mode in ZooKeeper. If enabled, the custom trust manager (`ZKTrustManager`) that is used for + hostname verification will be disabled in order to comply with FIPS requirements. As a consequence, hostname verification is not + available in the Quorum protocol, but still can be set in client-server communication. Default: **true** (3.9.0+), Review Comment: > but still can be set in client-server communication. I'm referring that we enabled the HTTPS verification in Netty. Hostname verification is not part of the SSL/TLS standard, so it should be implemented in the quorum protocol. Can FIPS enforce such thing? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
