anmolnar commented on code in PR #2271:
URL: https://github.com/apache/zookeeper/pull/2271#discussion_r2163666292
##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -548,17 +548,19 @@ public static X509TrustManager createTrustManager(
try {
KeyStore ts = loadTrustStore(trustStoreLocation,
trustStorePassword, trustStoreTypeProp);
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new
X509CertSelector());
- if (crlEnabled || ocspEnabled) {
- pbParams.setRevocationEnabled(true);
- System.setProperty("com.sun.net.ssl.checkRevocation", "true");
- System.setProperty("com.sun.security.enableCRLDP", "true");
- if (ocspEnabled) {
- Security.setProperty("ocsp.enable", "true");
- }
- } else {
- pbParams.setRevocationEnabled(false);
+ // Leave CRL/OCSP JVM global properties alone both are set to
"system" (represented as null)
+ if (!crlEnabled.isSystem() || !ocspEnabled.isSystem()) {
+ if (crlEnabled.isTrue() || ocspEnabled.isTrue()) {
+ pbParams.setRevocationEnabled(true);
+ System.setProperty("com.sun.net.ssl.checkRevocation",
"true");
+ System.setProperty("com.sun.security.enableCRLDP",
"true");
+ if (ocspEnabled.isTrue()) {
+ Security.setProperty("ocsp.enable", "true");
+ }
+ } else {
+ pbParams.setRevocationEnabled(false);
+ }
Review Comment:
One question here:
In the case when both parameters are set to 'system', we won't do anything:
not altering system properties and not setting revocation in `pbParams`. Will
that work correctly, I mean will `pbParams` revocation flag follow the system
settings?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
