This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 5070b14 [Issue 2793][Doc]--Update the TLS hostname verification for
CPP and Python clients (#7162)
5070b14 is described below
commit 5070b143eb0bde72368605df280b305304199376
Author: HuanliMeng <[email protected]>
AuthorDate: Fri Jun 5 09:26:47 2020 +0800
[Issue 2793][Doc]--Update the TLS hostname verification for CPP and Python
clients (#7162)
Main updates:
1: update the TLS hostname verification code example for C++ and Python
clients.
2: fix link errors.
3: arrange doc heading levels.
---
site2/docs/security-tls-transport.md | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/site2/docs/security-tls-transport.md
b/site2/docs/security-tls-transport.md
index 7ee0a71..8dbe5fb 100644
--- a/site2/docs/security-tls-transport.md
+++ b/site2/docs/security-tls-transport.md
@@ -168,7 +168,7 @@ When you enable the TLS transport encryption, you need to
configure the client t
As the server certificate that you generated above does not belong to any of
the default trust chains, you also need to either specify the path the **trust
cert** (recommended), or tell the client to allow untrusted server certs.
-#### Hostname verification
+### Hostname verification
Hostname verification is a TLS security feature whereby a client can refuse to
connect to a server if the "CommonName" does not match the hostname to which
the hostname is connecting. By default, Pulsar clients disable hostname
verification, as it requires that each broker has a DNS record and a unique
cert.
@@ -180,7 +180,7 @@ The examples below show hostname verification being
disabled for the Java client
### CLI tools
-[Command-line tools](reference-cli-tools.md) like
[`pulsar-admin`](reference-cli-tools#pulsar-admin),
[`pulsar-perf`](reference-cli-tools#pulsar-perf), and
[`pulsar-client`](reference-cli-tools#pulsar-client) use the `conf/client.conf`
config file in a Pulsar installation.
+[Command-line tools](reference-cli-tools.md) like
[`pulsar-admin`](reference-cli-tools.md#pulsar-admin),
[`pulsar-perf`](reference-cli-tools.md#pulsar-perf), and
[`pulsar-client`](reference-cli-tools.md#pulsar-client) use the
`conf/client.conf` config file in a Pulsar installation.
You need to add the following parameters to that file to use TLS transport
with the CLI tools of Pulsar:
@@ -193,7 +193,7 @@ tlsTrustCertsFilePath=/path/to/ca.cert.pem
tlsEnableHostnameVerification=false
```
-### Java client
+#### Java client
```java
import org.apache.pulsar.client.api.PulsarClient;
@@ -207,30 +207,31 @@ PulsarClient client = PulsarClient.builder()
.build();
```
-### Python client
+#### Python client
```python
from pulsar import Client
client = Client("pulsar+ssl://broker.example.com:6651/",
+ tls_hostname_verification=True,
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False) // defaults to false from
v2.2.0 onwards
```
-### C++ client
+#### C++ client
```c++
#include <pulsar/Client.h>
-pulsar::ClientConfiguration config;
-config.setUseTls(true);
-config.setTlsTrustCertsFilePath("/path/to/ca.cert.pem");
-config.setTlsAllowInsecureConnection(false); // defaults to false from v2.2.0
onwards
-
-pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);
+ClientConfiguration config = ClientConfiguration();
+config.setUseTls(true); // shouldn't be needed soon
+config.setTlsTrustCertsFilePath(caPath);
+config.setTlsAllowInsecureConnection(false);
+config.setAuth(pulsar::AuthTls::create(clientPublicKeyPath,
clientPrivateKeyPath));
+config.setValidateHostName(true);
```
-### Node.js client
+#### Node.js client
```JavaScript
const Pulsar = require('pulsar-client');
@@ -243,7 +244,7 @@ const Pulsar = require('pulsar-client');
})();
```
-### C# client
+#### C# client
```c#
var certificate = new X509Certificate2("ca.cert.pem");
