You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2019/05/09 16:38:05 UTC

[pulsar] branch master updated: Add flag to allow TLS hostname validation to be disabled in python (#4217)

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 345e9ab  Add flag to allow TLS hostname validation to be disabled in python (#4217)
345e9ab is described below

commit 345e9ab1b4716f37739eab58f7d5adeada1cd53d
Author: Ivan Kelly <iv...@apache.org>
AuthorDate: Thu May 9 18:37:59 2019 +0200

    Add flag to allow TLS hostname validation to be disabled in python (#4217)
    
    * Add flag to allow TLS hostname validation to be disabled in python
    
    * Update default to false
---
 pulsar-client-cpp/lib/HTTPLookupService.cc  | 5 ++++-
 pulsar-client-cpp/lib/HTTPLookupService.h   | 1 +
 pulsar-client-cpp/python/pulsar/__init__.py | 9 ++++++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pulsar-client-cpp/lib/HTTPLookupService.cc b/pulsar-client-cpp/lib/HTTPLookupService.cc
index bc99ab9..e62e78b 100644
--- a/pulsar-client-cpp/lib/HTTPLookupService.cc
+++ b/pulsar-client-cpp/lib/HTTPLookupService.cc
@@ -54,7 +54,8 @@ HTTPLookupService::HTTPLookupService(const std::string &lookupUrl,
       lookupTimeoutInSeconds_(clientConfiguration.getOperationTimeoutSeconds()),
       isUseTls_(clientConfiguration.isUseTls()),
       tlsAllowInsecure_(clientConfiguration.isTlsAllowInsecureConnection()),
-      tlsTrustCertsFilePath_(clientConfiguration.getTlsTrustCertsFilePath()) {
+      tlsTrustCertsFilePath_(clientConfiguration.getTlsTrustCertsFilePath()),
+      tlsValidateHostname_(clientConfiguration.isValidateHostName()) {
     if (lookupUrl[lookupUrl.length() - 1] == '/') {
         // Remove trailing '/'
         adminUrl_ = lookupUrl.substr(0, lookupUrl.length() - 1);
@@ -225,6 +226,8 @@ Result HTTPLookupService::sendHTTPRequest(const std::string completeUrl, std::st
             curl_easy_setopt(handle, CURLOPT_CAINFO, tlsTrustCertsFilePath_.c_str());
         }
 
+        curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, tlsValidateHostname_ ? 1L : 0L);
+
         if (authDataContent->hasDataForTls()) {
             curl_easy_setopt(handle, CURLOPT_SSLCERT, authDataContent->getTlsCertificates().c_str());
             curl_easy_setopt(handle, CURLOPT_SSLKEY, authDataContent->getTlsPrivateKey().c_str());
diff --git a/pulsar-client-cpp/lib/HTTPLookupService.h b/pulsar-client-cpp/lib/HTTPLookupService.h
index fb46400..4cc6e08 100644
--- a/pulsar-client-cpp/lib/HTTPLookupService.h
+++ b/pulsar-client-cpp/lib/HTTPLookupService.h
@@ -45,6 +45,7 @@ class HTTPLookupService : public LookupService, public std::enable_shared_from_t
     bool tlsAllowInsecure_;
     bool isUseTls_;
     std::string tlsTrustCertsFilePath_;
+    bool tlsValidateHostname_;
 
     static LookupDataResultPtr parsePartitionData(const std::string&);
     static LookupDataResultPtr parseLookupData(const std::string&);
diff --git a/pulsar-client-cpp/python/pulsar/__init__.py b/pulsar-client-cpp/python/pulsar/__init__.py
index ee71387..9de1719 100644
--- a/pulsar-client-cpp/python/pulsar/__init__.py
+++ b/pulsar-client-cpp/python/pulsar/__init__.py
@@ -289,7 +289,8 @@ class Client:
                  log_conf_file_path=None,
                  use_tls=False,
                  tls_trust_certs_file_path=None,
-                 tls_allow_insecure_connection=False
+                 tls_allow_insecure_connection=False,
+                 tls_validate_hostname=False,
                  ):
         """
         Create a new Pulsar client instance.
@@ -329,6 +330,10 @@ class Client:
         * `tls_allow_insecure_connection`:
           Configure whether the Pulsar client accepts untrusted TLS certificates
           from the broker.
+        * `tls_validate_hostname`:
+          Configure whether the Pulsar client validates that the hostname of the
+          endpoint, matches the common name on the TLS certificate presented by
+          the endpoint.
         """
         _check_type(str, service_url, 'service_url')
         _check_type_or_none(Authentication, authentication, 'authentication')
@@ -340,6 +345,7 @@ class Client:
         _check_type(bool, use_tls, 'use_tls')
         _check_type_or_none(str, tls_trust_certs_file_path, 'tls_trust_certs_file_path')
         _check_type(bool, tls_allow_insecure_connection, 'tls_allow_insecure_connection')
+        _check_type(bool, tls_validate_hostname, 'tls_validate_hostname')
 
         conf = _pulsar.ClientConfiguration()
         if authentication:
@@ -357,6 +363,7 @@ class Client:
         else:
             conf.tls_trust_certs_file_path(certifi.where())
         conf.tls_allow_insecure_connection(tls_allow_insecure_connection)
+        conf.tls_validate_hostname(tls_validate_hostname)
         self._client = _pulsar.Client(service_url, conf)
         self._consumers = []