You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2017/03/08 23:31:38 UTC
[jira] [Assigned] (KNOX-903) KnoxShell allows self signed certs to
be used without any checks
[ https://issues.apache.org/jira/browse/KNOX-903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Larry McCay reassigned KNOX-903:
--------------------------------
Assignee: Larry McCay
> KnoxShell allows self signed certs to be used without any checks
> ----------------------------------------------------------------
>
> Key: KNOX-903
> URL: https://issues.apache.org/jira/browse/KNOX-903
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxShell
> Affects Versions: 0.12.0
> Reporter: Sumit Gupta
> Assignee: Larry McCay
> Priority: Critical
> Fix For: 0.12.0
>
>
> A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http clients to communicate with Knox over SSL.
> In the Hadoop class it should be:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
> hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> trustStrategy = null;
> } else {
> {code}
> instead of:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
> hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> } else {
> {code}
> The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)