Skip to content

Commit

Permalink
Add options for controlling client hostname verification
Browse files Browse the repository at this point in the history
  • Loading branch information
nightkr committed Jun 17, 2024
1 parent e454e8c commit 4bb9978
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 1 deletion.
6 changes: 6 additions & 0 deletions zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
Original file line number Diff line number Diff line change
Expand Up @@ -1739,6 +1739,12 @@ and [SASL authentication for ZooKeeper](https://cwiki.apache.org/confluence/disp
Disabling it only recommended for testing purposes.
Default: true

* *ssl.clientHostnameVerification* and *ssl.quorum.clientHostnameVerification* :
(Java system properties: **zookeeper.ssl.clientHostnameVerification** and **zookeeper.ssl.quorum.clientHostnameVerification**)
**New in (INSERT VERSION HERE):**
Specifies whether the client's hostname verification is enabled in client and quorum TLS negotiation process.
Default: true for quorum, false for clients

* *ssl.crl* and *ssl.quorum.crl* :
(Java system properties: **zookeeper.ssl.crl** and **zookeeper.ssl.quorum.crl**)
**New in 3.5.5:**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,7 @@ public io.netty.handler.ssl.ClientAuth toNettyClientAuth() {
private final String sslTruststoreTypeProperty = getConfigPrefix() + "trustStore.type";
private final String sslContextSupplierClassProperty = getConfigPrefix() + "context.supplier.class";
private final String sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification";
private final String sslClientHostnameVerificationEnabledProperty = getConfigPrefix() + "clientHostnameVerification";
private final String sslCrlEnabledProperty = getConfigPrefix() + "crl";
private final String sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
private final String sslClientAuthProperty = getConfigPrefix() + "clientAuth";
Expand Down Expand Up @@ -270,6 +271,10 @@ public String getSslHostnameVerificationEnabledProperty() {
return sslHostnameVerificationEnabledProperty;
}

public String getSslClientHostnameVerificationEnabledProperty() {
return sslClientHostnameVerificationEnabledProperty;
}

public String getSslCrlEnabledProperty() {
return sslCrlEnabledProperty;
}
Expand Down Expand Up @@ -305,7 +310,8 @@ public boolean isServerHostnameVerificationEnabled(ZKConfig config) {
}

public boolean isClientHostnameVerificationEnabled(ZKConfig config) {
return isServerHostnameVerificationEnabled(config) && shouldVerifyClientHostname();
return isServerHostnameVerificationEnabled(config)
&& config.getBoolean(this.getSslClientHostnameVerificationEnabledProperty(), shouldVerifyClientHostname());
}

public SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ private void putSSLProperties(X509Util x509Util) {
properties.put(x509Util.getSslTruststorePasswdPathProperty(), System.getProperty(x509Util.getSslTruststorePasswdPathProperty()));
properties.put(x509Util.getSslTruststoreTypeProperty(), System.getProperty(x509Util.getSslTruststoreTypeProperty()));
properties.put(x509Util.getSslContextSupplierClassProperty(), System.getProperty(x509Util.getSslContextSupplierClassProperty()));
properties.put(x509Util.getSslClientHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslClientHostnameVerificationEnabledProperty()));
properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
properties.put(x509Util.getSslCrlEnabledProperty(), System.getProperty(x509Util.getSslCrlEnabledProperty()));
properties.put(x509Util.getSslOcspEnabledProperty(), System.getProperty(x509Util.getSslOcspEnabledProperty()));
Expand Down

0 comments on commit 4bb9978

Please sign in to comment.