You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Vincent Devillers (JIRA)" <ji...@apache.org> on 2017/03/08 19:26:37 UTC

[jira] [Updated] (KNOX-903) KnoxShell allows self signed certs to be used without any checks

     [ https://issues.apache.org/jira/browse/KNOX-903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vincent Devillers updated KNOX-903:
-----------------------------------
    Description: 
A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.

In the Hadoop class it should be:
{code:java}
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
  trustStrategy = null;
} else {
{code}
instead of:
{code:java}
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {
{code}
The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.

  was:A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.


> KnoxShell allows self signed certs to be used without any checks
> ----------------------------------------------------------------
>
>                 Key: KNOX-903
>                 URL: https://issues.apache.org/jira/browse/KNOX-903
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: KnoxShell
>    Affects Versions: 0.12.0
>            Reporter: Sumit Gupta
>            Priority: Critical
>             Fix For: 0.12.0
>
>
> A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.
> In the Hadoop class it should be:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
>   hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
>   trustStrategy = null;
> } else {
> {code}
> instead of:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
>   hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> } else {
> {code}
> The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)