This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 2fdf440562 [KYUUBI #7008] Backport HIVE-27817: Disable ssl hostname
verification for 127.0.0.1
2fdf440562 is described below
commit 2fdf4405628e114f0d05d91015f3323a97ead4f9
Author: Wang, Fei <[email protected]>
AuthorDate: Tue Apr 1 13:47:55 2025 +0800
[KYUUBI #7008] Backport HIVE-27817: Disable ssl hostname verification for
127.0.0.1
### Why are the changes needed?
Backport https://github.com/apache/hive/pull/4823
We need to setup production tunnel because we can't connect to production
environment directly:
```
sh -fN -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -L
127.0.0.1:10001:hiveserver2.prod.company.com:10001 bastion.company.com
JDBC url: jdbc:hive2://127.0.0.1:10001/default;ssl=true
```
But it will throw exception after
[HIVE-15025](https://issues.apache.org/jira/browse/HIVE-15025):
```
Exception in thread "main" java.sql.SQLException: Could not open client
transport with JDBC Uri: jdbc:hive2://localhost:10001/default;ssl=true:
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching
localhost found.
at
org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:224)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at org.apache.spark.sql.TestJDBC$.main(TestJDBC.scala:47)
at org.apache.spark.sql.TestJDBC.main(TestJDBC.scala)
Caused by: org.apache.hive.org.apache.thrift.transport.TTransportException:
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching
localhost found.
at
org.apache.hive.org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
at
org.apache.hive.org.apache.thrift.transport.TSaslTransport.sendSaslMessage(TSaslTransport.java:166)
at
org.apache.hive.org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:100)
at
org.apache.hive.org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
at
org.apache.hive.org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at
org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:311)
at
org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:196)
... 5 more
```
This PR disables ssl hostname verification for 127.0.0.1 to workaround this
issue.
### How was this patch tested?
Manual test.
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #7008 from turboFei/ssl.
Closes #7008
6ae1b7b82 [Wang, Fei] Backport HIVE-27817: Disable ssl hostname
verification for 127.0.0.1
Authored-by: Wang, Fei <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
.../src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
index 331b871e08..8e853ad037 100644
---
a/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
+++
b/kyuubi-hive-jdbc/src/main/java/org/apache/kyuubi/jdbc/hive/auth/ThriftUtils.java
@@ -116,7 +116,11 @@ public class ThriftUtils {
throws TTransportException {
SSLSocket sslSocket = (SSLSocket) tSSLSocket.getSocket();
SSLParameters sslParams = sslSocket.getSSLParameters();
- sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ if (sslSocket.getLocalAddress().getHostAddress().equals("127.0.0.1")) {
+ sslParams.setEndpointIdentificationAlgorithm(null);
+ } else {
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ }
sslSocket.setSSLParameters(sslParams);
TSocket tSocket = new TSocket(sslSocket);
return configureThriftMaxMessageSize(tSocket, maxMessageSize);
