clintropolis commented on a change in pull request #6432: Allow custom TLS cert
checks
URL: https://github.com/apache/incubator-druid/pull/6432#discussion_r227585611
##########
File path:
server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java
##########
@@ -471,4 +479,41 @@ public boolean doMonitor(ServiceEmitter emitter)
return true;
}
}
+
+ private static class IdentityCheckOverrideSslContextFactory extends
SslContextFactory
+ {
+ private final TLSServerConfig tlsServerConfig;
+ private final TLSCertificateChecker certificateChecker;
+
+ public IdentityCheckOverrideSslContextFactory(
+ TLSServerConfig tlsServerConfig,
+ TLSCertificateChecker certificateChecker
+ )
+ {
+ super(false);
+ this.tlsServerConfig = tlsServerConfig;
+ this.certificateChecker = certificateChecker;
+ }
+
+ @Override
+ protected TrustManager[] getTrustManagers(
+ KeyStore trustStore, Collection<? extends CRL> crls
+ ) throws Exception
+ {
+ TrustManager[] trustManagers = super.getTrustManagers(trustStore, crls);
+ TrustManager[] newTrustManagers = new TrustManager[trustManagers.length];
+
+ for (int i = 0; i < trustManagers.length; i++) {
+ if (trustManagers[i] instanceof X509ExtendedTrustManager) {
Review comment:
Would it be harmful to just leave non `X509ExtendedTrustManager`
implementations in this list with an `else` that doesn't wrap them in the
`CustomCheckX509TrustManager` and just adds them to `newTrustManagers` as is?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
