You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2020/06/05 01:26:59 UTC

[pulsar] branch master updated: [Issue 2793][Doc]--Update the TLS hostname verification for CPP and Python clients (#7162)

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 5070b14  [Issue 2793][Doc]--Update the TLS hostname verification for CPP and Python clients (#7162)
5070b14 is described below

commit 5070b143eb0bde72368605df280b305304199376
Author: HuanliMeng <48...@users.noreply.github.com>
AuthorDate: Fri Jun 5 09:26:47 2020 +0800

    [Issue 2793][Doc]--Update the TLS hostname verification for CPP and Python clients (#7162)
    
    Main updates:
    1: update the TLS hostname verification code example for C++ and Python clients.
    2: fix link errors.
    3: arrange doc heading levels.
---
 site2/docs/security-tls-transport.md | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/site2/docs/security-tls-transport.md b/site2/docs/security-tls-transport.md
index 7ee0a71..8dbe5fb 100644
--- a/site2/docs/security-tls-transport.md
+++ b/site2/docs/security-tls-transport.md
@@ -168,7 +168,7 @@ When you enable the TLS transport encryption, you need to configure the client t
 
 As the server certificate that you generated above does not belong to any of the default trust chains, you also need to either specify the path the **trust cert** (recommended), or tell the client to allow untrusted server certs.
 
-#### Hostname verification
+### Hostname verification
 
 Hostname verification is a TLS security feature whereby a client can refuse to connect to a server if the "CommonName" does not match the hostname to which the hostname is connecting. By default, Pulsar clients disable hostname verification, as it requires that each broker has a DNS record and a unique cert.
 
@@ -180,7 +180,7 @@ The examples below show hostname verification being disabled for the Java client
 
 ### CLI tools
 
-[Command-line tools](reference-cli-tools.md) like [`pulsar-admin`](reference-cli-tools#pulsar-admin), [`pulsar-perf`](reference-cli-tools#pulsar-perf), and [`pulsar-client`](reference-cli-tools#pulsar-client) use the `conf/client.conf` config file in a Pulsar installation.
+[Command-line tools](reference-cli-tools.md) like [`pulsar-admin`](reference-cli-tools.md#pulsar-admin), [`pulsar-perf`](reference-cli-tools.md#pulsar-perf), and [`pulsar-client`](reference-cli-tools.md#pulsar-client) use the `conf/client.conf` config file in a Pulsar installation.
 
 You need to add the following parameters to that file to use TLS transport with the CLI tools of Pulsar:
 
@@ -193,7 +193,7 @@ tlsTrustCertsFilePath=/path/to/ca.cert.pem
 tlsEnableHostnameVerification=false
 ```
 
-### Java client
+#### Java client
 
 ```java
 import org.apache.pulsar.client.api.PulsarClient;
@@ -207,30 +207,31 @@ PulsarClient client = PulsarClient.builder()
     .build();
 ```
 
-### Python client
+#### Python client
 
 ```python
 from pulsar import Client
 
 client = Client("pulsar+ssl://broker.example.com:6651/",
+                tls_hostname_verification=True,
                 tls_trust_certs_file_path="/path/to/ca.cert.pem",
                 tls_allow_insecure_connection=False) // defaults to false from v2.2.0 onwards
 ```
 
-### C++ client
+#### C++ client
 
 ```c++
 #include <pulsar/Client.h>
 
-pulsar::ClientConfiguration config;
-config.setUseTls(true);
-config.setTlsTrustCertsFilePath("/path/to/ca.cert.pem");
-config.setTlsAllowInsecureConnection(false); // defaults to false from v2.2.0 onwards
-
-pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);
+ClientConfiguration config = ClientConfiguration();
+config.setUseTls(true);  // shouldn't be needed soon
+config.setTlsTrustCertsFilePath(caPath);
+config.setTlsAllowInsecureConnection(false);
+config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath, clientPrivateKeyPath));
+config.setValidateHostName(true);
 ```
 
-### Node.js client
+#### Node.js client
 
 ```JavaScript
 const Pulsar = require('pulsar-client');
@@ -243,7 +244,7 @@ const Pulsar = require('pulsar-client');
 })();
 ```
 
-### C# client
+#### C# client
 
 ```c#
 var certificate = new X509Certificate2("ca.cert.pem");