[ 
https://issues.apache.org/jira/browse/HADOOP-19927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated HADOOP-19927:
------------------------------------
    Labels: pull-request-available  (was: )

> Add unit test for HttpServer2 mTLS enforcement via ssl.server.need.client.auth
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-19927
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19927
>             Project: Hadoop Common
>          Issue Type: Test
>            Reporter: Ferenc Erdelyi
>            Assignee: Ferenc Erdelyi
>            Priority: Minor
>              Labels: pull-request-available
>
> HttpServer2 supports mutual TLS (mTLS) via the ssl.server.need.client.auth 
> configuration key in ssl-server.xml. When this is set to true, the Jetty 
> SslContextFactory is configured to require a client certificate, which is 
> then validated against the
>   server-side truststore (ssl.server.truststore.*).
>  
>   However, this code path has no unit test coverage. Existing tests in 
> TestSSLHttpServer always set useClientCert=false and never call 
> .needsClientAuth(true) on the builder, so the following behaviours are 
> untested:
>   - A client whose certificate is present in the server's truststore is 
> accepted.
>   - A client whose certificate is NOT present in the server's truststore is 
> rejected with a TLS handshake failure.
>  
>   This JIRA adds TestSSLHttpServerMTLS, a focused integration test that:
>   1. Starts an HttpServer2 HTTPS server with needsClientAuth=true and a 
> truststore loaded from ssl-server.xml.
>   2. Verifies that a trusted client (cert in the server truststore) receives 
> HTTP 200.
>   3. Verifies that an untrusted client (cert not in the server truststore) 
> receives an SSLHandshakeException.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to