[incubator-pulsar.wiki] branch master updated: Updated PIP 20: Mechanism to revoke TLS authentication (markdown)

Tue, 07 Aug 2018 01:13:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

ivank pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.wiki.git


The following commit(s) were added to refs/heads/master by this push:
     new 2f57a79  Updated PIP 20: Mechanism to revoke TLS authentication 
(markdown)
2f57a79 is described below

commit 2f57a79895ea86cfe1e3716b8639a841d22b9a87
Author: Ivan Kelly <[email protected]>
AuthorDate: Tue Aug 7 10:13:43 2018 +0200

    Updated PIP 20: Mechanism to revoke TLS authentication (markdown)
---
 PIP-20:-Mechanism-to-revoke-TLS-authentication.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PIP-20:-Mechanism-to-revoke-TLS-authentication.md 
b/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
index 1963187..7f598e8 100644
--- a/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
+++ b/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
@@ -1,7 +1,7 @@
 - **Status**: Proposed
 - **Author**: [Ivan Kelly](https://github.com/ivankelly)
 - **Pull Request**: -
-- **Mailing List discussion**: -
+- **Mailing List discussion**: 
https://lists.apache.org/thread.html/ac70badf3648cb4287a483b9ee75d7cf599126bba9e45f30acbb7ba4@%3Cdev.pulsar.apache.org%3E
 
 # Motivation
 
@@ -41,4 +41,4 @@ The following changes are needed.
 3. SecurityUtility.java should wrap all TrustManagers in a wrapper, that, 
after calling the parent method, checks the subject key identifier against the 
revoked list. The trust managers are used by both jetty and netty connections 
for negotiation (see 
[demo](https://github.com/ivankelly/incubator-pulsar/commit/216c0c9ea22fb8431c2c5f1c9f597183ee400981)).
 4. Each service watches the list, and on update checks all existing 
connections:
     - For netty, each TLS channel should be added to a ChannelGroup which we 
can iterate over. To check a channel, the peer cert can be retrieved by 
```channel.getPipeline().getHandler(SslHandler.class).getEngine().getSession().getPeerCertificateChain()```.
-    - For jetty, all connections can be retrieved with 
```getConnectedEndpoint()```. The ```Connection``` objects can be accessed from 
the returned list, and checked if they are instances of ```SSLConnection```. 
Once you have an ```SSLConnection```, the peer cert can be accessed via 
```sslconn.getEngine().getSession().getPeerCerificateChain()```.
+    - For jetty, all connections can be retrieved with 
```getConnectedEndpoint()```. The ```Connection``` objects can be accessed from 
the returned list, and checked if they are instances of ```SSLConnection```. 
Once you have an ```SSLConnection```, the peer cert can be accessed via 
```sslconn.getEngine().getSession().getPeerCertificateChain()```.

Reply via email to