You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/09/08 09:04:32 UTC

[GitHub] [pulsar] fantapsody opened a new pull request, #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

fantapsody opened a new pull request, #17543:
URL: https://github.com/apache/pulsar/pull/17543

   <!--
   ### Contribution Checklist
     
     - PR title format should be *[type][component] summary*. For details, see *[Guideline - Pulsar PR Naming Convention](https://docs.google.com/document/d/1d8Pw6ZbWk-_pCKdOmdvx9rnhPiyuxwq60_TrD68d7BA/edit#heading=h.trs9rsex3xom)*. 
   
     - Fill out the template below to describe the changes contributed by the pull request. That will give reviewers the context they need to do the review.
     
     - Each pull request should address only one issue, not mix up code from multiple issues.
     
     - Each commit in the pull request has a meaningful commit message
   
     - Once all items of the checklist are addressed, remove the above text and this checklist, leaving only the filled out template below.
   
   **(The sections below can be removed for hotfixes of typos)**
   -->
   
   
   Fixes https://github.com/apache/pulsar/issues/16416
   
   ### Motivation
   
   The pulsar admin client and the HTTP lookup service don't add an SNI header when `tlsHostnameVerification` is not enabled.
   
   ### Modifications
   
   The async-http-client doesn't split the flag for SNI header and hostname verification, so I added a new SSL engine factory to set the SNI header.
   
   ### Verifying this change
   
   - [ ] Make sure that the change passes the CI checks.
   
   This change is already covered by existing tests, such as *(please describe tests)*.
   
   ### Does this pull request potentially affect one of the following parts:
   
   
   
   ### Documentation
   
   Check the box below or label this PR directly.
   
   Need to update docs? 
   
   - [ ] `doc-required` 
   (Your PR needs to update docs and you will update later)
     
   - [x] `doc-not-needed` 
   (Please explain why)
     
   - [ ] `doc` 
   (Your PR contains doc changes)
   
   - [ ] `doc-complete`
   (Docs have been already added)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] fantapsody commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
fantapsody commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1242001349

   > I wonder can we use the allowTlsInsecureConnection() instead of the enableTlsHostnameVerification()?
   
   @nodece I think they do different validations.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
nodece commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1241561906

   I wonder can we use the `allowTlsInsecureConnection()` instead of the `enableTlsHostnameVerification()`?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] fantapsody commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
fantapsody commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1242000295

   @michaeljmarshall Thanks for the feedback, please take another look.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] michaeljmarshall commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1244837961

   @fantapsody - can you please rebase this PR so that it picks up the latest CI fixes? There were recent changes that we need to capture before we can merge this PR. Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] fantapsody commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
fantapsody commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1241435630

   /pulsarbot run-failure-checks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] fantapsody commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
fantapsody commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1244868495

   > @fantapsody - can you please rebase this PR so that it picks up the latest CI fixes? There were recent changes that we need to capture before we can merge this PR. Thanks.
   
   Done. @michaeljmarshall 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] fantapsody commented on pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
fantapsody commented on PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#issuecomment-1241363505

   @michaeljmarshall PTAL


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui merged pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
codelipenghui merged PR #17543:
URL: https://github.com/apache/pulsar/pull/17543


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] michaeljmarshall commented on a diff in pull request #17543: [fix][admin] Add SNI header when tlsHostnameVerification is not enabled

Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on code in PR #17543:
URL: https://github.com/apache/pulsar/pull/17543#discussion_r966588366


##########
pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java:
##########
@@ -144,6 +145,10 @@ public boolean keepAlive(InetSocketAddress remoteAddress, Request ahcRequest,
 
                 confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
                 confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
+                if (!conf.isTlsHostnameVerificationEnable()) {
+                    confBuilder.setSslEngineFactory(new WithSNISslEngineFactory(serviceNameResolver
+                            .resolveHostUri().getHost()));
+                }

Review Comment:
   Looks like this declaration needs to be moved up like it is in the `AsyncHttpConnector` so that it does not override the `sslEngineFactory` when using a keystore.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org