You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2017/07/27 16:27:00 UTC

[jira] [Resolved] (CALCITE-1904) Support disabling SSL hostname verification

     [ https://issues.apache.org/jira/browse/CALCITE-1904?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josh Elser resolved CALCITE-1904.
---------------------------------
    Resolution: Fixed

Resolved in https://git-wip-us.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=c3f4611d4e94f50ed2130801c7054e3d109bde4b

> Support disabling SSL hostname verification
> -------------------------------------------
>
>                 Key: CALCITE-1904
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1904
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: avatica-1.11.0
>
>
> Follow-on from CALCITE-1538:
> In testing environments, it may be beneficial to disable the standard hostname verification against SSL certificates: verification that the CommonName (CN) on the certificate matches the hostname of the server. Presently, if the CN on the certificate does not match the hostname, the client will see an error:
> {noformat}
> java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does not match the certificate subject provided by the peer (CN=host2)
>         at org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:169)
>         at org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:45)
>         at org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:81)
>         at org.apache.calcite.avatica.remote.Driver.connect(Driver.java:176)
>         at sqlline.DatabaseConnection.connect(DatabaseConnection.java:157)
>         at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:203)
>         at sqlline.Commands.connect(Commands.java:1064)
>         at sqlline.Commands.connect(Commands.java:996)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
>         at sqlline.SqlLine.dispatch(SqlLine.java:804)
>         at sqlline.SqlLine.initArgs(SqlLine.java:588)
>         at sqlline.SqlLine.begin(SqlLine.java:656)
>         at sqlline.SqlLine.start(SqlLine.java:398)
>         at sqlline.SqlLine.main(SqlLine.java:292)
>         at org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:88)
>         at org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:85)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:422)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
>         at org.apache.phoenix.queryserver.client.SqllineWrapper.main(SqllineWrapper.java:85)
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does not match the certificate subject provided by the peer (CN=host2)
>         at org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
>         at org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
>         at org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
>         at org.apache.calcite.avatica.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
>         at org.apache.calcite.avatica.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>         at org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>         at org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>         at org.apache.calcite.avatica.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>         at org.apache.calcite.avatica.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>         at org.apache.calcite.avatica.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>         at org.apache.calcite.avatica.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>         at org.apache.calcite.avatica.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>         at org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.execute(AvaticaCommonsHttpClientImpl.java:177)
>         at org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:150)
>         ... 23 more
> {noformat}
> Avatica should expose an option to disable the (default) strict hostname verifier.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)