[
https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13697654#comment-13697654
]
Ivan Kelly commented on BOOKKEEPER-588:
---------------------------------------
{quote}if you checked any existed services
(https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers), they would
support both secure and non-secure ports. for example, imap port is 143, while
SSL/TLS encrypted IMAP used port 993.{quote}
imaps, pops and smtps are older implementations which simply tunnel over an ssl
socket. starttls versions superceded them.
The TLS with IMAP and POP rfc gives the rationale for this:
https://tools.ietf.org/html/rfc2595#section-7
Not all apply to us, but the url scheme issue is just another way to stating
the ids problem.
{quote}I don't think mixing non-ssl port with ssl port together is a good
practice, since it would make debugging and troubleshooting very
complicated.{quote}
How is it harder to debug? We currently don't decode bk wire transmissions, and
doing so with any form of SSL would be a pain anyhow. Once it hits the bookie,
debugging is no more difficult. In fact, I would argue that is makes debugging
and troubleshooting easier, as it halves the number of ports you need to check
are working.
{quote}
But if separating non-ssl port from ssl port, it's straightforward for any
clients to disable ssl port without paying any costs.
{quote}
The client will have a useSSL config option no matter which ssl option we go
with.
{quote}
no, if a bookie has been non-ssl only in the past? it should start with
previous installation since the cookie already has its previous identifier. so
any bookie client connects to this bookie would only use its non-ssl port.
if a bookie wants to upgrade to enable ssl support, it needs to run an admin
tool provided in BOOKKEEPER-634 to change its identifier. Changing the
identifier is somehow needed by BOOKKEEPER-639, we could leverage the tasks in
BOOKKEEPER-634 to achieve it.
{quote}
I think this is a unnecessary complication when we have the starttls option
available to us. I'm not saying we shouldn't have them for BOOKKEEPER-639, but
their use should be minimized to avoid side effects.
> SSL support
> -----------
>
> Key: BOOKKEEPER-588
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588
> Project: Bookkeeper
> Issue Type: Sub-task
> Reporter: Ivan Kelly
> Assignee: Ivan Kelly
> Fix For: 4.3.0
>
> Attachments: 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch
>
>
> SSL support using startTLS
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
