You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/03/15 14:05:20 UTC

[GitHub] [knox] risdenk commented on a change in pull request #74: KNOX-1111 - 2-way SSL Truststore and Keystore Improvements

risdenk commented on a change in pull request #74: KNOX-1111 - 2-way SSL Truststore and Keystore Improvements
URL: https://github.com/apache/knox/pull/74#discussion_r265993352
 
 

 ##########
 File path: gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/DefaultHttpClientFactory.java
 ##########
 @@ -76,28 +77,14 @@ public HttpClient createHttpClient(FilterConfig filterConfig) {
     } else {
       builder = HttpClients.custom();
     }
-    if (Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"))) {
-      AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
-      KeystoreService ks = services.getService(GatewayServices.KEYSTORE_SERVICE);
-      final SSLContext sslcontext;
-      try {
-        KeyStore identityKeystore = ks.getKeystoreForGateway();
-        char[] identityKeyPassphrase = as.getGatewayIdentityPassphrase();
 
-        // The trustKeystore will be the same as the identityKeystore if a truststore was not explicitly
-        // configured in gateway-site (gateway.truststore.password.alias, gateway.truststore.path, gateway.truststore.type)
-        // This was the behavior before KNOX-1812
-        KeyStore trustKeystore = ks.getTruststoreForHttpClient();
-
-        sslcontext = SSLContexts.custom()
-            .loadTrustMaterial(trustKeystore, new TrustSelfSignedStrategy())
-            .loadKeyMaterial(identityKeystore, identityKeyPassphrase)
-            .build();
-      } catch (Exception e) {
-        throw new IllegalArgumentException("Unable to create SSLContext", e);
-      }
-      builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext));
+    // Conditionally set a custom SSLContext
+    boolean useTwoWaySsl = Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"));
+    SSLContext sslContext = createSSLContext(services, useTwoWaySsl);
 
 Review comment:
   So to be more "future proof", can we send in the filterConfig and move the boolean into the createSSLContext? This way we can use other filterconfig items later if needed to configure the SSLContext

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services