You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2019/05/09 16:38:05 UTC
[pulsar] branch master updated: Add flag to allow TLS hostname
validation to be disabled in python (#4217)
This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 345e9ab Add flag to allow TLS hostname validation to be disabled in python (#4217)
345e9ab is described below
commit 345e9ab1b4716f37739eab58f7d5adeada1cd53d
Author: Ivan Kelly <iv...@apache.org>
AuthorDate: Thu May 9 18:37:59 2019 +0200
Add flag to allow TLS hostname validation to be disabled in python (#4217)
* Add flag to allow TLS hostname validation to be disabled in python
* Update default to false
---
pulsar-client-cpp/lib/HTTPLookupService.cc | 5 ++++-
pulsar-client-cpp/lib/HTTPLookupService.h | 1 +
pulsar-client-cpp/python/pulsar/__init__.py | 9 ++++++++-
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/pulsar-client-cpp/lib/HTTPLookupService.cc b/pulsar-client-cpp/lib/HTTPLookupService.cc
index bc99ab9..e62e78b 100644
--- a/pulsar-client-cpp/lib/HTTPLookupService.cc
+++ b/pulsar-client-cpp/lib/HTTPLookupService.cc
@@ -54,7 +54,8 @@ HTTPLookupService::HTTPLookupService(const std::string &lookupUrl,
lookupTimeoutInSeconds_(clientConfiguration.getOperationTimeoutSeconds()),
isUseTls_(clientConfiguration.isUseTls()),
tlsAllowInsecure_(clientConfiguration.isTlsAllowInsecureConnection()),
- tlsTrustCertsFilePath_(clientConfiguration.getTlsTrustCertsFilePath()) {
+ tlsTrustCertsFilePath_(clientConfiguration.getTlsTrustCertsFilePath()),
+ tlsValidateHostname_(clientConfiguration.isValidateHostName()) {
if (lookupUrl[lookupUrl.length() - 1] == '/') {
// Remove trailing '/'
adminUrl_ = lookupUrl.substr(0, lookupUrl.length() - 1);
@@ -225,6 +226,8 @@ Result HTTPLookupService::sendHTTPRequest(const std::string completeUrl, std::st
curl_easy_setopt(handle, CURLOPT_CAINFO, tlsTrustCertsFilePath_.c_str());
}
+ curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, tlsValidateHostname_ ? 1L : 0L);
+
if (authDataContent->hasDataForTls()) {
curl_easy_setopt(handle, CURLOPT_SSLCERT, authDataContent->getTlsCertificates().c_str());
curl_easy_setopt(handle, CURLOPT_SSLKEY, authDataContent->getTlsPrivateKey().c_str());
diff --git a/pulsar-client-cpp/lib/HTTPLookupService.h b/pulsar-client-cpp/lib/HTTPLookupService.h
index fb46400..4cc6e08 100644
--- a/pulsar-client-cpp/lib/HTTPLookupService.h
+++ b/pulsar-client-cpp/lib/HTTPLookupService.h
@@ -45,6 +45,7 @@ class HTTPLookupService : public LookupService, public std::enable_shared_from_t
bool tlsAllowInsecure_;
bool isUseTls_;
std::string tlsTrustCertsFilePath_;
+ bool tlsValidateHostname_;
static LookupDataResultPtr parsePartitionData(const std::string&);
static LookupDataResultPtr parseLookupData(const std::string&);
diff --git a/pulsar-client-cpp/python/pulsar/__init__.py b/pulsar-client-cpp/python/pulsar/__init__.py
index ee71387..9de1719 100644
--- a/pulsar-client-cpp/python/pulsar/__init__.py
+++ b/pulsar-client-cpp/python/pulsar/__init__.py
@@ -289,7 +289,8 @@ class Client:
log_conf_file_path=None,
use_tls=False,
tls_trust_certs_file_path=None,
- tls_allow_insecure_connection=False
+ tls_allow_insecure_connection=False,
+ tls_validate_hostname=False,
):
"""
Create a new Pulsar client instance.
@@ -329,6 +330,10 @@ class Client:
* `tls_allow_insecure_connection`:
Configure whether the Pulsar client accepts untrusted TLS certificates
from the broker.
+ * `tls_validate_hostname`:
+ Configure whether the Pulsar client validates that the hostname of the
+ endpoint, matches the common name on the TLS certificate presented by
+ the endpoint.
"""
_check_type(str, service_url, 'service_url')
_check_type_or_none(Authentication, authentication, 'authentication')
@@ -340,6 +345,7 @@ class Client:
_check_type(bool, use_tls, 'use_tls')
_check_type_or_none(str, tls_trust_certs_file_path, 'tls_trust_certs_file_path')
_check_type(bool, tls_allow_insecure_connection, 'tls_allow_insecure_connection')
+ _check_type(bool, tls_validate_hostname, 'tls_validate_hostname')
conf = _pulsar.ClientConfiguration()
if authentication:
@@ -357,6 +363,7 @@ class Client:
else:
conf.tls_trust_certs_file_path(certifi.where())
conf.tls_allow_insecure_connection(tls_allow_insecure_connection)
+ conf.tls_validate_hostname(tls_validate_hostname)
self._client = _pulsar.Client(service_url, conf)
self._consumers = []