You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Sailesh Mukil (Code Review)" <ge...@cloudera.org> on 2018/04/05 23:44:13 UTC
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Sailesh Mukil has uploaded this change for review. ( http://gerrit.cloudera.org:8080/9940
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Take 2 certificate files: cert.pem and truststore.pem
cert.pem has 2 certificates in it:
A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA)
truststore.pem has 1 certificate in it:
A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)
This previously would not work with KRPC because in
TlsContext::VerifyCertChainUnlocked(), we would only verify X509_verify_cert()
with the top certificate in the server certificate chain.
With this change, we pass the chain to X509_STORE_CTX_init() as well to make
sure that the entire chain gets checked against the CA.
A test is added that uses the specific certificate format mentioned above
and added to rpc-test.
TODO: Add a test case that has multiple intermediate CAs. Right now we're testing
with only one intermediate CA.
Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
---
M be/src/kudu/rpc/rpc-test.cc
M be/src/kudu/security/test/test_certs.cc
M be/src/kudu/security/test/test_certs.h
M be/src/kudu/security/tls_context.cc
4 files changed, 263 insertions(+), 4 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/40/9940/1
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 1
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
Patch Set 1: Verified+1
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 1
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Comment-Date: Fri, 06 Apr 2018 05:03:18 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
Patch Set 1:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/2247/
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 1
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Comment-Date: Fri, 06 Apr 2018 01:10:16 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Posted by "Sailesh Mukil (Code Review)" <ge...@cloudera.org>.
Sailesh Mukil has posted comments on this change. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
Patch Set 1:
This is the fix for the blocker IMPALA-6806.
The cherry-pick was clean.
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 1
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Comment-Date: Thu, 05 Apr 2018 23:44:55 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Posted by "Lars Volker (Code Review)" <ge...@cloudera.org>.
Lars Volker has posted comments on this change. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 1
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Comment-Date: Fri, 06 Apr 2018 01:09:47 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
Patch Set 1:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/2248/
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 1
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Comment-Date: Fri, 06 Apr 2018 01:10:25 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
......................................................................
KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails
Take 2 certificate files: cert.pem and truststore.pem
cert.pem has 2 certificates in it:
A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA)
truststore.pem has 1 certificate in it:
A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)
This previously would not work with KRPC because in
TlsContext::VerifyCertChainUnlocked(), we would only verify X509_verify_cert()
with the top certificate in the server certificate chain.
With this change, we pass the chain to X509_STORE_CTX_init() as well to make
sure that the entire chain gets checked against the CA.
A test is added that uses the specific certificate format mentioned above
and added to rpc-test.
TODO: Add a test case that has multiple intermediate CAs. Right now we're testing
with only one intermediate CA.
Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Reviewed-on: http://gerrit.cloudera.org:8080/9940
Reviewed-by: Lars Volker <lv...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M be/src/kudu/rpc/rpc-test.cc
M be/src/kudu/security/test/test_certs.cc
M be/src/kudu/security/test/test_certs.h
M be/src/kudu/security/tls_context.cc
4 files changed, 263 insertions(+), 4 deletions(-)
Approvals:
Lars Volker: Looks good to me, approved
Impala Public Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/9940
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9940
Gerrit-PatchSet: 2
Gerrit-Owner: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>