Thanks for the catch Larry and Vincent. This may have been a merge issue on my part as well. In any case I agree that the release cannot go out with this bug. My vote is also -1. I¹ll cancel the vote and file a JIRA for the issue to be fixed.
Thanks everyone for testing the RC and stay tuned for the next one. Sumit. On 3/8/17, 1:19 PM, "Vincent Devillers" <[email protected]> wrote: >@larry > >You are right, in the Hadoop class it should be: > >HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; >TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE; >if (clientContext.connection().secure()) { > hostnameVerifier = >SSLConnectionSocketFactory.getDefaultHostnameVerifier(); > trustStrategy = null; >} else { > >instead of: > >HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; >TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE; >if (clientContext.connection().secure()) { > hostnameVerifier = >SSLConnectionSocketFactory.getDefaultHostnameVerifier(); >} else { > > >The trustStrategy must be null in order to keep the default >X509TrustManager defined for the default ssl algorithm. >My bad... > >*Vincent Devillers* > >tél.: +33 615053430 >email: [email protected] >blog: https://blog.layer4.fr > >2017-03-08 18:37 GMT+01:00 larry mccay <[email protected]>: > >> Unfortunately, I have found what I view as a showstopper. >> We had a regression in the knoxshell with respect to requiring proper >>trust >> of the cert presented by the gateway. >> Somewhere along the line the TrustSelfSignedStrategy was added back and >> self-signed certs now get a free pass. >> This needs to be fixed to protect against MITM attacks, etc. >> >> Here is my -1. >> >> >> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden <[email protected]> >> wrote: >> >> > +1 (non-binding) >> > >> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 >>RC >> > * Verified that Knox Solr service definition was able to connect to >> > Kerberized Solr >> > * Verified both API and UI >> > * Verified basic auth through LDAP works >> > >> > Kevin Risden >> > >> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <[email protected]> >> > wrote: >> > >> > > Thanks Sumit for setting up the release ! >> > > >> > > +1 (binding) >> > > >> > > * Downloaded and built from source (with Java 1.8.0_101) >> > > * Checked LICENSE and NOTICE files >> > > * Verified GPG/MD5/SHA signatures >> > > * Installed pseudo-distributed instance (Mac OS X ) >> > > * Ran through knox tests >> > > * Checked websocket functionality >> > > * Checked java script compression (Ambari UI) >> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider' >> > > >> > > :-) My fist binding vote >> > > >> > > Best, >> > > Sandeep >> > > >> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <[email protected]> >>wrote: >> > > >> > > > A candidate for the Apache Knox 0.12.0 release is available at: >> > > > >> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/ >> > > > >> > > > The release candidate is a zip archive of the sources in: >> > > > >> > > > https://git-wip-us.apache.org/repos/asf/knox.git >> > > > Branch v0.12.0 (git checkout -b v0.12.0) >> > > > >> > > > The KEYS file for signature validation is available at: >> > > > https://dist.apache.org/repos/dist/release/knox/KEYS >> > > > >> > > > Please vote on releasing this package as Apache Knox 0.12.0. >> > > > The vote is open for the next 72 hours and passes if a majority >>of at >> > > > least three +1 Apache Knox PMC votes are cast. >> > > > >> > > > [ ] +1 Release this package as Apache Knox 0.12.0 >> > > > [ ] -1 Do not release this package because... >> > > > >> > > >> > >>
