anmolnar commented on code in PR #2009:
URL: https://github.com/apache/zookeeper/pull/2009#discussion_r1231330050
##########
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java:
##########
@@ -627,6 +631,113 @@ public void enableCertFileReloading() throws IOException {
}
}
+ public SslContext createNettySslContextForClient(ZKConfig config)
+ throws KeyManagerException, TrustManagerException, SSLException {
+ String keyStoreLocation =
config.getProperty(sslKeystoreLocationProperty, "");
+ String keyStorePassword = getPasswordFromConfigPropertyOrFile(config,
sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
+ String keyStoreType = config.getProperty(sslKeystoreTypeProperty);
+
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+ if (keyStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslKeystoreLocationProperty());
+ } else {
+ sslContextBuilder.keyManager(createKeyManager(keyStoreLocation,
keyStorePassword, keyStoreType));
+ }
+
+ String trustStoreLocation =
config.getProperty(sslTruststoreLocationProperty, "");
+ String trustStorePassword =
getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty,
sslTruststorePasswdPathProperty);
+ String trustStoreType = config.getProperty(sslTruststoreTypeProperty);
+
+ boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
+ boolean sslOcspEnabled =
config.getBoolean(this.sslOcspEnabledProperty);
+ boolean sslServerHostnameVerificationEnabled =
config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
+ boolean sslClientHostnameVerificationEnabled =
sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
+
+ if (trustStoreLocation.isEmpty()) {
+ LOG.warn("{} not specified", getSslTruststoreLocationProperty());
+ } else {
+
sslContextBuilder.trustManager(createTrustManager(trustStoreLocation,
trustStorePassword, trustStoreType,
+ sslCrlEnabled, sslOcspEnabled,
sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled));
+ }
+
+ sslContextBuilder.enableOcsp(sslOcspEnabled);
+ sslContextBuilder.protocols(getEnabledProtocols(config));
+ sslContextBuilder.ciphers(getCipherSuites(config));
+
+ return sslContextBuilder.build();
+ }
+
+ public SslContext createNettySslContextForServer(ZKConfig config)
Review Comment:
Do you mean the convenient jar?
Because officially, as an Apache product, we don't ship anything in binary
form. My suggestion was only about making it easier for the user to _build_ the
product with native support. I think whatever we include in the convenient jar,
it doesn't have to be complete for every single platform.
Including only the Linux bits (which platform x86_64? which distro fedora,
ubuntu?) is more than enough I believe.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
