You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Vincent Devillers (JIRA)" <ji...@apache.org> on 2017/03/08 19:26:37 UTC
[jira] [Updated] (KNOX-903) KnoxShell allows self signed certs to
be used without any checks
[ https://issues.apache.org/jira/browse/KNOX-903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vincent Devillers updated KNOX-903:
-----------------------------------
Description:
A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.
In the Hadoop class it should be:
{code:java}
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
trustStrategy = null;
} else {
{code}
instead of:
{code:java}
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {
{code}
The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.
was:A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.
> KnoxShell allows self signed certs to be used without any checks
> ----------------------------------------------------------------
>
> Key: KNOX-903
> URL: https://issues.apache.org/jira/browse/KNOX-903
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxShell
> Affects Versions: 0.12.0
> Reporter: Sumit Gupta
> Priority: Critical
> Fix For: 0.12.0
>
>
> A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.
> In the Hadoop class it should be:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
> hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> trustStrategy = null;
> } else {
> {code}
> instead of:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
> hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> } else {
> {code}
> The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)