You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pinot.apache.org by jl...@apache.org on 2021/11/04 18:48:19 UTC

[pinot] branch fix-ssl-hostname-validator created (now 166dd01)

This is an automated email from the ASF dual-hosted git repository.

jlli pushed a change to branch fix-ssl-hostname-validator
in repository https://gitbox.apache.org/repos/asf/pinot.git.


      at 166dd01  Fix verifyHostname issue in FileUploadDownloadClient

This branch includes the following new commits:

     new 166dd01  Fix verifyHostname issue in FileUploadDownloadClient

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

[pinot] 01/01: Fix verifyHostname issue in FileUploadDownloadClient

Posted by jl...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jlli pushed a commit to branch fix-ssl-hostname-validator
in repository https://gitbox.apache.org/repos/asf/pinot.git

commit 166dd011afde29cc946f49829031cfaaadb16002
Author: Jack Li(Analytics Engineering) <jl...@jlli-mn1.linkedin.biz>
AuthorDate: Thu Nov 4 11:47:42 2021 -0700

    Fix verifyHostname issue in FileUploadDownloadClient
---
 .../org/apache/pinot/common/utils/ClientSSLContextGenerator.java | 1 +
 .../org/apache/pinot/common/utils/FileUploadDownloadClient.java  | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
index eaf9978..a6d1abf 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
@@ -83,6 +83,7 @@ public class ClientSSLContextGenerator {
       sslContext = SSLContext.getInstance(SECURITY_ALGORITHM);
       sslContext.init(keyManagers, trustManagers, null);
     } catch (Exception e) {
+      LOGGER.error("Exception when generating SSLContext", e);
       Utils.rethrowException(e);
     }
     return sslContext;
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
index 9305d16..428a1ca 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
@@ -49,6 +49,8 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.entity.ContentType;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.entity.mime.HttpMultipartMode;
@@ -60,6 +62,7 @@ import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.ssl.SSLContexts;
 import org.apache.http.util.EntityUtils;
 import org.apache.pinot.common.exception.HttpErrorStatusException;
 import org.apache.pinot.common.restlet.resources.StartReplaceSegmentsRequest;
@@ -141,9 +144,11 @@ public class FileUploadDownloadClient implements Closeable {
    */
   public FileUploadDownloadClient(@Nullable SSLContext sslContext) {
     if (sslContext == null) {
-      sslContext = _defaultSSLContext;
+      sslContext = _defaultSSLContext != null ? _defaultSSLContext : SSLContexts.createDefault();
     }
-    _httpClient = HttpClients.custom().setSSLContext(sslContext).build();
+    // Set NoopHostnameVerifier to skip validating hostname when uploading/downloading segments.
+    SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
+    _httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
   }
 
   private static URI getURI(String protocol, String host, int port, String path)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org