You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/05/11 18:30:04 UTC

[GitHub] [pulsar] lhotari opened a new pull request #10541: Enable Conscrypt for Jetty in the Broker and in the Proxy

lhotari opened a new pull request #10541:
URL: https://github.com/apache/pulsar/pull/10541


   Fixes #10372
   
   ### Motivation
   
   * See #10372 
   * Switching to use Conscrypt improves TLS performance of Jetty
   * The change is also needed for fixing some test failures when switching to JDK 11.
   
   ### Modifications
   
   * Load Conscrypt if it's available on the classpath
   * Use the Conscrypt Security provider when it's available. Use it for non-Netty TLS configurations created with SecurityUtils or KeyStoreSSLContext class.
   * Move the Pulsar specific HostnameVerifier part of Pulsar Client from pulsar-client module to pulsar-common module so that it can be used with Conscrypt.
   * Configure Conscrypt to use TlsHostnameVerifier. 
   * Configure Conscrypt's default hostname verifier to use Pulsar's TlsHostnameVerifier which is more relaxed than the Conscrypt HostnameVerifier checking for RFC 2818 conformity.
     * Certificates used in Pulsar docs and examples aren't strictly RFC 2818 compliant since they use the deprecated way of specifying the hostname in the CN field of the subject DN of the certificate.
     * RFC 2818 recommends the use of SAN (subjectAltName) extension for specifying the hostname in the dNSName field of the subjectAltName extension.
     * Conscrypt's default HostnameVerifier has dropped support for the deprecated method of specifying the hostname in the CN field. 
     * Pulsar's TlsHostnameVerifier continues to support the CN field.
   * there's a bug in Conscrypt while setting a custom HostnameVerifier, https://github.com/google/conscrypt/issues/1015
     * Add a workaround for setting the HostnameVerifier when using Conscrypt. The workaround can be removed once the bug in Conscrypt is fixed.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat merged pull request #10541: Enable Conscrypt for Jetty in the Broker and in the Proxy

Posted by GitBox <gi...@apache.org>.
merlimat merged pull request #10541:
URL: https://github.com/apache/pulsar/pull/10541


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #10541: Enable Conscrypt for Jetty in the Broker and in the Proxy

Posted by GitBox <gi...@apache.org>.
lhotari commented on pull request #10541:
URL: https://github.com/apache/pulsar/pull/10541#issuecomment-839172753


   /pulsarbot run-failure-checks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org