diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java index 7bb45390382..588a8828fe3 100644 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java @@ -19,6 +19,7 @@ package org.apache.zookeeper.common; import io.netty.handler.ssl.DelegatingSslContext; +import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslProvider; @@ -79,7 +80,7 @@ public SslContext createNettySslContextForClient(ZKConfig config) sslContextBuilder.trustManager(tm); } - sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty())); + handleTcnativeOcspStapling(sslContextBuilder, config); sslContextBuilder.protocols(getEnabledProtocols(config)); Iterable enabledCiphers = getCipherSuites(config); if (enabledCiphers != null) { @@ -120,7 +121,7 @@ public SslContext createNettySslContextForServer(ZKConfig config, KeyManager key sslContextBuilder.trustManager(trustManager); } - sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty())); + handleTcnativeOcspStapling(sslContextBuilder, config); sslContextBuilder.protocols(getEnabledProtocols(config)); sslContextBuilder.clientAuth(getClientAuth(config).toNettyClientAuth()); Iterable enabledCiphers = getCipherSuites(config); @@ -138,6 +139,17 @@ public SslContext createNettySslContextForServer(ZKConfig config, KeyManager key } } + private SslContextBuilder handleTcnativeOcspStapling(SslContextBuilder builder, ZKConfig config) { + SslProvider sslProvider = getSslProvider(config); + boolean tcnative = sslProvider == SslProvider.OPENSSL || sslProvider == SslProvider.OPENSSL_REFCNT; + boolean ocspEnabled = config.getBoolean(getSslOcspEnabledProperty()); + + if (tcnative && ocspEnabled && OpenSsl.isOcspSupported()) { + builder.enableOcsp(ocspEnabled); + } + return builder; + } + private SslContext addHostnameVerification(SslContext sslContext, String clientOrServer) { return new DelegatingSslContext(sslContext) { @Override diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java index 1218a00de30..ce7984734a0 100644 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java @@ -740,6 +740,20 @@ public void testCreateSSLContext_validCustomSSLContextClass( assertEquals(SSLContext.getDefault(), sslContext); } + @ParameterizedTest + @MethodSource("data") + public void testCreateSSLContext_ocspWithJreProvider( + X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword, Integer paramIndex) + throws Exception { + init(caKeyType, certKeyType, keyPassword, paramIndex); + ZKConfig zkConfig = new ZKConfig(); + try (ClientX509Util clientX509Util = new ClientX509Util();) { + zkConfig.setProperty(clientX509Util.getSslOcspEnabledProperty(), "true"); + // Must not throw IllegalArgumentException + clientX509Util.createSSLContext(zkConfig); + } + } + private static void forceClose(Socket s) { if (s == null || s.isClosed()) { return;