kezhuw commented on code in PR #2239: URL: https://github.com/apache/zookeeper/pull/2239#discussion_r2051661384
########## zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md: ########## @@ -1738,7 +1738,9 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp (Java system properties: **zookeeper.ssl.ciphersuites** and **zookeeper.ssl.quorum.ciphersuites**) **New in 3.5.5:** Specifies the enabled cipher suites to be used in client and quorum TLS negotiation. - Default: Enabled cipher suites depend on the Java runtime version being used. + Default: None, the JVM defaults are used (3.10.0+), + Enabled cipher suites are hard coded, with the ordering dependent on whether Java 8, or Java 9+ is used. + For Java 8 the list begins with the TLSv1.2 CBC ciphers, while for Java 9+ it begins with the TLSv1.2 CBM ciphers (3.5.5-3.9.x). Review Comment: > Default: None, the JVM defaults are used (3.10.0+), Enabled cipher suites are hard coded, with the ordering dependent on whether Java 8, or Java 9+ is used. For Java 8 the list begins with the TLSv1.2 CBC ciphers, while for Java 9+ it begins with the TLSv1.2 CBM ciphers (3.5.5-3.9.x). The render version does not look clear here. Given that we have a new section, I think we can move some words there. ########## zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md: ########## @@ -1877,6 +1879,17 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp Default: **true** (3.9.0+), **false** (3.8.x) +##### Cipher handling changes + +From 3.5.5 to 3.9 a hard coded default cipher list was used, with the ordering +dependent on whether it is run Java 8 or a later version. + +In 3.9 the list on Java 8 is: *TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256* + +In 3.10 the list on Java 8 is: *TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256* Review Comment: It should be `In 3.9 the list on Java 9+ is` ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
