zookeeper icon indicating copy to clipboard operation
zookeeper copied to clipboard
verified publisher icon apache

ZOOKEEPER-4790: Make client hostname verification configurable

Open nightkr opened this issue 1 year ago • 4 comments

FIPS mode technically covers this, in a sort of sledgehammery way, but I think it's still worthwhile to have an explicit option for this and only this. Especially since FIPS compliance is a pretty broad thing (see ZOOKEEPER-4832) that will likely expand in the future to cover a lot of things that may or may not be desired.

nightkr avatar Jun 17 '24 13:06 nightkr

Accidentally closed the PR, sorry. Wanted to ask:

Have you considered replacing the current apporach with separate config settings?

  • zookeeper.ssl.(quorum.)server.hostnameVerification
  • zookeeper.ssl.(quorum.)client.hostnameVerification

anmolnar avatar Aug 27 '24 19:08 anmolnar

In a green field I think that makes sense, but I don't think it's worth breaking the old config value "just" for this.

nightkr avatar Aug 27 '24 20:08 nightkr

In a green field I think that makes sense, but I don't think it's worth breaking the old config value "just" for this.

You can keep backward compatibility by parsing both zookeeper.ssl.server.hostnameVerification and zookeeper.ssl.hostnameVerification as the server setting.

anmolnar avatar Aug 27 '24 20:08 anmolnar

@nightkr Ignore my previous comment. Since client hostname verification is bound to server hostname verification setting, it makes sense to keep the original and general hostnameVerification setting. It enables/disabled the entire feature. Your patch is good as it is, just elaborate a bit in the admin documentation.

anmolnar avatar Aug 27 '24 20:08 anmolnar

Sorry about the delay, got distracted by other stuff.

nightkr avatar Nov 22 '24 12:11 nightkr