You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2017/07/26 18:13:00 UTC

[jira] [Created] (CALCITE-1904) Support disabling SSL hostname verification

Josh Elser created CALCITE-1904:
-----------------------------------

             Summary: Support disabling SSL hostname verification
                 Key: CALCITE-1904
                 URL: https://issues.apache.org/jira/browse/CALCITE-1904
             Project: Calcite
          Issue Type: Improvement
          Components: avatica
            Reporter: Josh Elser
            Assignee: Josh Elser
             Fix For: avatica-1.11.0


Follow-on from CALCITE-1538:

In testing environments, it may be beneficial to disable the standard hostname verification against SSL certificates: verification that the CommonName (CN) on the certificate matches the hostname of the server. Presently, if the CN on the certificate does not match the hostname, the client will see an error:

{noformat}
java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does not match the certificate subject provided by the peer (CN=host2)
        at org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:169)
        at org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:45)
        at org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:81)
        at org.apache.calcite.avatica.remote.Driver.connect(Driver.java:176)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:157)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:203)
        at sqlline.Commands.connect(Commands.java:1064)
        at sqlline.Commands.connect(Commands.java:996)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:804)
        at sqlline.SqlLine.initArgs(SqlLine.java:588)
        at sqlline.SqlLine.begin(SqlLine.java:656)
        at sqlline.SqlLine.start(SqlLine.java:398)
        at sqlline.SqlLine.main(SqlLine.java:292)
        at org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:88)
        at org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:85)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
        at org.apache.phoenix.queryserver.client.SqllineWrapper.main(SqllineWrapper.java:85)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does not match the certificate subject provided by the peer (CN=host2)
        at org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
        at org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
        at org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
        at org.apache.calcite.avatica.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
        at org.apache.calcite.avatica.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
        at org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
        at org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.calcite.avatica.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at org.apache.calcite.avatica.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at org.apache.calcite.avatica.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.calcite.avatica.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        at org.apache.calcite.avatica.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.execute(AvaticaCommonsHttpClientImpl.java:177)
        at org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:150)
        ... 23 more
{noformat}

Avatica should expose an option to disable the (default) strict hostname verifier.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)