You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by me...@apache.org on 2023/03/01 11:20:18 UTC
[hbase] branch branch-2 updated: HBASE-27673 Fix mTLS client hostname verification (#5066)
This is an automated email from the ASF dual-hosted git repository.
meszibalu pushed a commit to branch branch-2
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2 by this push:
new 9a23d4a3b2d HBASE-27673 Fix mTLS client hostname verification (#5066)
9a23d4a3b2d is described below
commit 9a23d4a3b2d555a8b73bde574d5773d74d1b8845
Author: Balazs Meszaros <me...@apache.org>
AuthorDate: Wed Mar 1 12:20:06 2023 +0100
HBASE-27673 Fix mTLS client hostname verification (#5066)
Signed-off-by: Peter Somogyi <ps...@apache.org>
Signed-off-by: Bryan Beaudreault <bb...@apache.org>
---
.../apache/hadoop/hbase/ipc/NettyRpcServer.java | 29 +++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
index d42b03d4d5d..f3ead471fe6 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
@@ -19,10 +19,12 @@ package org.apache.hadoop.hbase.ipc;
import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_ENABLED;
import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT;
+import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.net.InetSocketAddress;
+import java.net.SocketAddress;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicReference;
@@ -63,6 +65,7 @@ import org.apache.hbase.thirdparty.io.netty.channel.group.DefaultChannelGroup;
import org.apache.hbase.thirdparty.io.netty.handler.codec.FixedLengthFrameDecoder;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.OptionalSslHandler;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
+import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler;
import org.apache.hbase.thirdparty.io.netty.util.concurrent.GlobalEventExecutor;
/**
@@ -267,7 +270,31 @@ public class NettyRpcServer extends RpcServer {
p.addLast("ssl", new OptionalSslHandler(nettySslContext));
LOG.debug("Dual mode SSL handler added for channel: {}", p.channel());
} else {
- p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc()));
+ SocketAddress remoteAddress = p.channel().remoteAddress();
+ SslHandler sslHandler;
+
+ if (remoteAddress instanceof InetSocketAddress) {
+ InetSocketAddress remoteInetAddress = (InetSocketAddress) remoteAddress;
+ String host;
+
+ if (conf.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true)) {
+ host = remoteInetAddress.getHostName();
+ } else {
+ host = remoteInetAddress.getHostString();
+ }
+
+ int port = remoteInetAddress.getPort();
+
+ /*
+ * our HostnameVerifier gets the host name from SSLEngine, so we have to construct the
+ * engine properly by passing the remote address
+ */
+ sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port);
+ } else {
+ sslHandler = nettySslContext.newHandler(p.channel().alloc());
+ }
+
+ p.addLast("ssl", sslHandler);
LOG.debug("SSL handler added for channel: {}", p.channel());
}
}