Ferenc Erdelyi created HADOOP-19927:
---------------------------------------
Summary: Add unit test for HttpServer2 mTLS enforcement via
ssl.server.need.client.auth
Key: HADOOP-19927
URL: https://issues.apache.org/jira/browse/HADOOP-19927
Project: Hadoop Common
Issue Type: Test
Reporter: Ferenc Erdelyi
HttpServer2 supports mutual TLS (mTLS) via the ssl.server.need.client.auth
configuration key in ssl-server.xml. When this is set to true, the Jetty
SslContextFactory is configured to require a client certificate, which is then
validated against the
server-side truststore (ssl.server.truststore.*).
However, this code path has no unit test coverage. Existing tests in
TestSSLHttpServer always set useClientCert=false and never call
.needsClientAuth(true) on the builder, so the following behaviours are untested:
- A client whose certificate is present in the server's truststore is
accepted.
- A client whose certificate is NOT present in the server's truststore is
rejected with a TLS handshake failure.
This JIRA adds TestSSLHttpServerMTLS, a focused integration test that:
1. Starts an HttpServer2 HTTPS server with needsClientAuth=true and a
truststore loaded from ssl-server.xml.
2. Verifies that a trusted client (cert in the server truststore) receives
HTTP 200.
3. Verifies that an untrusted client (cert not in the server truststore)
receives an SSLHandshakeException.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]