[GitHub] [pulsar] yabinmeng edited a comment on issue #11548: Pulsar server non-tls ports are still listening when TLS in-transit encryption is enabled

[GitBox <gi...@apache.org>]

yabinmeng edited a comment on issue #11548:
URL: https://github.com/apache/pulsar/issues/11548#issuecomment-901565041


   @lhotari Thanks for looking into this.
   
   In my testing, I only have one node. So I don't think `brokerClientTlsEnabled=true` and`brokerClientTlsEnabledWithKeyStore=true` matter because they're used for inter-broker communication.  Technically speaking, if I want to only expose TLS ports on a broker, then I should set `brokerClientTlsEnabledWithKeyStore=true`. But in my testing it really doesn't matter.
   
   My previous testing exposed 2 issues which I believed you confirmed in #11681. 
   1. When TLS is enabled, both non-TLS and TLS ports are all listening
   2. Broker won't start If I only set TLS ports (brokerServicePortTls and webServicePortTls), but leave non-TLS ports (brokerServicePort and webServicePort) empty.
   
   Anyway, I retested with `brokerClientTlsEnabled=true`  and `brokerClientTrustCertsFilePath=</path/to/root/ca/ceritificate>` (and other required TLS configuration as before), it is the same behavior:
   * I have to explicitly set all four ports (6650, 6651, 8080, 8843) in order to start borker when TLS is enabled
   * When borker is up, all 4 ports are in listening mode.
   
   Also I don't think `brokerClientTlsEnabledWithKeyStore=true` really matters if I use `brokerClientTrustCertsFilePath=</path/to/root/ca/ceritificate>` parameter. It is about using Java keystore to store the public certificate. It just adds one more layer of protection of the public certificate. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org