Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-903

KnoxShell allows self signed certs to be used without any checks

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.12.0
    • Fix Version/s: 0.12.0
    • Component/s: KnoxShell
    • Labels:
      None

      Description

      A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.

      In the Hadoop class it should be:

      HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
      TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
      if (clientContext.connection().secure()) {
        hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
        trustStrategy = null;
      } else {
      

      instead of:

      HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
      TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
      if (clientContext.connection().secure()) {
        hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
      } else {
      

      The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.

        Attachments

          Activity

            People

            • Assignee:
              lmccay Larry McCay
              Reporter:
              sumit.gupta Sumit Gupta
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: