maytasm opened a new pull request #11538: URL: https://github.com/apache/druid/pull/11538
Fix hostname validation not skipping with `druid.client.https.validateHostnames=false` in java 8u275 and later ### Description Hostname validation is not skipped even after setting `druid.client.https.validateHostnames=false` in java 8u275 and later. This is due to code change introduced in Java 8u275. To disable validate hostnames, Druid sets the endpointIdentificationAlgorithm of the SSLParameters in the SSLEngine to null (using the SSLEngine#setSSLParameters method). This is done in CustomCheckX509TrustManager#checkServerTrusted. In 8u242, the SSLEngine#setSSLParameters (https://github.com/openjdk/jdk8u/blob/b996dbe72ce338fdc430fbba1bb995ce622109e3/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java#L2102 ) simply get the new endpointIdentificationAlgorithm from the given input SSLParameters (params) and set it without any verification of the new endpointIdentificationAlgorithm value. In 8u275, the SSLEngine#setSSLParameters (https://github.com/openjdk/jdk8u/blob/37d4863386fb7fccb846f46b1bc85b4c61fe1c88/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java#L763 ) calls TransportContext#SSLCo nfiguration#setSSLParameters (https://github.com/openjdk/jdk8u/blob/37d4863386fb7fccb846f46b1bc85b4c61fe1c88/jdk/src/share/classes/sun/security/ssl/SSLConfiguration.java#L199 ). This method will not set endpointIdentificationAlgorithm to the new value if the new value is null (https://github.com/openjdk/jdk8u/blob/37d4863386fb7fccb846f46b1bc85b4c61fe1c88/jdk/src/share/classes/sun/security/ssl/SSLConfiguration.java#L231 ). Hence, the endpointIdentificationAlgorithm would remains as HTTPS and trigger validate hostnames in X509TrustManagerImpl. The code that determines to validate hostname or not in X509TrustManagerImpl is actually the pre and post 8u275, which is to validate hostname if the identityAlg != null && identityAlg.length() != 0 (note that identityAlg variable is the EndpointIdentificationAlgorithm of the SSLParameters). As a workaround, we can set EndpointIdentificationAlgorithm to an empty String instead. This will still cause the hostname validation to be skipped. This PR has: - [x] been self-reviewed. - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.) - [ ] added documentation for new or modified features or behaviors. - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links. - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md) - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [ ] added integration tests. - [x] been tested in a test Druid cluster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
