You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/03/15 15:13:02 UTC

[GitHub] [knox] rlevas commented on a change in pull request #74: KNOX-1111 - 2-way SSL Truststore and Keystore Improvements

rlevas commented on a change in pull request #74: KNOX-1111 - 2-way SSL Truststore and Keystore Improvements
URL: https://github.com/apache/knox/pull/74#discussion_r266024463
 
 

 ##########
 File path: gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/DefaultHttpClientFactory.java
 ##########
 @@ -76,28 +77,14 @@ public HttpClient createHttpClient(FilterConfig filterConfig) {
     } else {
       builder = HttpClients.custom();
     }
-    if (Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"))) {
-      AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
-      KeystoreService ks = services.getService(GatewayServices.KEYSTORE_SERVICE);
-      final SSLContext sslcontext;
-      try {
-        KeyStore identityKeystore = ks.getKeystoreForGateway();
-        char[] identityKeyPassphrase = as.getGatewayIdentityPassphrase();
 
-        // The trustKeystore will be the same as the identityKeystore if a truststore was not explicitly
-        // configured in gateway-site (gateway.truststore.password.alias, gateway.truststore.path, gateway.truststore.type)
-        // This was the behavior before KNOX-1812
-        KeyStore trustKeystore = ks.getTruststoreForHttpClient();
-
-        sslcontext = SSLContexts.custom()
-            .loadTrustMaterial(trustKeystore, new TrustSelfSignedStrategy())
-            .loadKeyMaterial(identityKeystore, identityKeyPassphrase)
-            .build();
-      } catch (Exception e) {
-        throw new IllegalArgumentException("Unable to create SSLContext", e);
-      }
-      builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext));
+    // Conditionally set a custom SSLContext
+    boolean useTwoWaySsl = Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"));
+    SSLContext sslContext = createSSLContext(services, useTwoWaySsl);
 
 Review comment:
   Sure... I can do that.  
   
   But if we need to make changes to `createSSLContext` in the future, changing the args to passing the filterConfig could be done then.  `createSSLContext` is basically a private method, so changing its signature later should be a minor task.  If `createSSLContext` was part of an interface (or just public) that may be another story. 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services