[KNOX-903] KnoxShell allows self signed certs to be used without any checks - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.12.0
Fix Version/s: 0.12.0
Component/s: KnoxShell
Labels:
None

Description

A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.

In the Hadoop class it should be:

HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
  trustStrategy = null;
} else {

instead of:

HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {

The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.

Attachments

Activity

People

Assignee:: Larry McCay

Reporter:: Sumit Gupta

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Mar/17 19:15

Updated:: 28/Mar/19 14:17

Resolved:: 08/Mar/17 23:48