Il giorno ven, 09/09/2016 alle 12.08 -0700, Sijie Guo ha scritto: On Fri, Sep 9, 2016 at 10:46 AM, Arun M. Krishnakumar < akrishnaku...@salesforce.com<mailto:akrishnaku...@salesforce.com>> wrote:
Hi, I am implementing Mutual-TLS in our environment here. I looked at Bookkeeper-588 but we cannot support StartTLS, Can you explain why you cannot support StartTLS? so have an implementation that does plain SSL. I get details of the SSL setup using the java environment variables, I have followed the zookeeper model for this. We have a system with a high frequency of client certificate expiry. New certificates will be available quite a while before the old ones expire. Consider the following case: 1. Bookkeeper Client sends a request for AddEntry over SSL 2. Bookie adds the entry 3. Certificate expires and the communication channel becomes untrusted IMHO SSL Certficates usually expire within 1 year period, is this really a production case to have a certificate which expires on a live bookie ? usually certificates are renewed some time before the expire date 4. The Bookie client is not able to receive a response from the Bookie, and it marks the Bookie as being in an invalid state. (PerChannelBookieClient::messageReceived processes a failure). I am assuming here, you are talking about the request timeout as no response coming back. Or the client received a failure? Is the explanation above correct ? To avoid the above, I have a basic implementation of reconnect in the DefaultPerChannelBookieClientPool::obtain function, where I can detect that the old certs are about to expire and new ones are available, and provide connections from a pool with channels initialized from the new pool. I am not very clear about this part. Are you saying you will pre-create connection with new cert and replace the connection with old cert? Could you comment if the above makes sense ? Thanks, Arun -- Enrico Olivelli Software Development Manager @Diennea Tel.: (+39) 0546 066100 - Int. 925 Viale G.Marconi 30/14 - 48018 Faenza (RA) MagNews - E-mail Marketing Solutions http://www.magnews.it Diennea - Digital Marketing Solutions http://www.diennea.com ________________________________ Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email marketing! http://www.magnews.it/newsletter/ The information in this email is confidential and may be legally privileged. If you are not the intended recipient please notify the sender immediately and destroy this email. Any unauthorized, direct or indirect, disclosure, copying, storage, distribution or other use is strictly forbidden.
