[
https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426972#comment-17426972
]
Mate Szalay-Beko commented on ZOOKEEPER-4393:
---------------------------------------------
just after a few glances, looks like we are using the custom trust manager to
perform some extra host verification:
{code:java}
/**
* A custom TrustManager that supports hostname verification via
org.apache.http.conn.ssl.DefaultHostnameVerifier.
*
* We attempt to perform verification using just the IP address first and if
that fails will attempt to perform a
* reverse DNS lookup and verify using the hostname.
*/
public class ZKTrustManager extends X509ExtendedTrustManager {
{code}
I think we could make the trust manager class configurable and add multiple
trust managers. E.g.:
* having the current ZKTrustManager
* having a new trust manager that extends X509TrustManagerImpl and adds the
host verification
* having SunJSSE default X509TrustManagerImpl
> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
> Key: ZOOKEEPER-4393
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.3
> Reporter: Dipesh Kumar Dutta
> Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My
> service is also running in fips mode with security provider
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting
> the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN
> io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to
> initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException:
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
> may be used
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
> at
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements
> X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the
> below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
> throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers
> may be used");
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
