You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by jl...@apache.org on 2021/11/04 18:48:20 UTC
[pinot] 01/01: Fix verifyHostname issue in FileUploadDownloadClient
This is an automated email from the ASF dual-hosted git repository.
jlli pushed a commit to branch fix-ssl-hostname-validator
in repository https://gitbox.apache.org/repos/asf/pinot.git
commit 166dd011afde29cc946f49829031cfaaadb16002
Author: Jack Li(Analytics Engineering) <jl...@jlli-mn1.linkedin.biz>
AuthorDate: Thu Nov 4 11:47:42 2021 -0700
Fix verifyHostname issue in FileUploadDownloadClient
---
.../org/apache/pinot/common/utils/ClientSSLContextGenerator.java | 1 +
.../org/apache/pinot/common/utils/FileUploadDownloadClient.java | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
index eaf9978..a6d1abf 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
@@ -83,6 +83,7 @@ public class ClientSSLContextGenerator {
sslContext = SSLContext.getInstance(SECURITY_ALGORITHM);
sslContext.init(keyManagers, trustManagers, null);
} catch (Exception e) {
+ LOGGER.error("Exception when generating SSLContext", e);
Utils.rethrowException(e);
}
return sslContext;
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
index 9305d16..428a1ca 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
@@ -49,6 +49,8 @@ import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.entity.mime.HttpMultipartMode;
@@ -60,6 +62,7 @@ import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicHeader;
import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;
import org.apache.pinot.common.exception.HttpErrorStatusException;
import org.apache.pinot.common.restlet.resources.StartReplaceSegmentsRequest;
@@ -141,9 +144,11 @@ public class FileUploadDownloadClient implements Closeable {
*/
public FileUploadDownloadClient(@Nullable SSLContext sslContext) {
if (sslContext == null) {
- sslContext = _defaultSSLContext;
+ sslContext = _defaultSSLContext != null ? _defaultSSLContext : SSLContexts.createDefault();
}
- _httpClient = HttpClients.custom().setSSLContext(sslContext).build();
+ // Set NoopHostnameVerifier to skip validating hostname when uploading/downloading segments.
+ SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
+ _httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
}
private static URI getURI(String protocol, String host, int port, String path)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org