[jira] [Updated] (KNOX-903) KnoxShell allows self signed certs to be used without any checks

Wed, 08 Mar 2017 11:27:10 -0800 

     [ 
https://issues.apache.org/jira/browse/KNOX-903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vincent Devillers updated KNOX-903:
-----------------------------------
    Description: 
A TrustStrategy of TrustSelfSignedStrategy is being used while setting up http 
clients to communicate with Knox over SSL.

In the Hadoop class it should be:
{code:java}
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
  trustStrategy = null;
} else {
{code}
instead of:
{code:java}
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {
{code}
The trustStrategy must be null in order to keep the default X509TrustManager 
defined for the default ssl algorithm.

  was:A TrustStrategy of TrustSelfSignedStrategy is being used while setting up 
http clients to communicate with Knox over SSL.


> KnoxShell allows self signed certs to be used without any checks
> ----------------------------------------------------------------
>
>                 Key: KNOX-903
>                 URL: https://issues.apache.org/jira/browse/KNOX-903
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: KnoxShell
>    Affects Versions: 0.12.0
>            Reporter: Sumit Gupta
>            Priority: Critical
>             Fix For: 0.12.0
>
>
> A TrustStrategy of TrustSelfSignedStrategy is being used while setting up 
> http clients to communicate with Knox over SSL.
> In the Hadoop class it should be:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
>   hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
>   trustStrategy = null;
> } else {
> {code}
> instead of:
> {code:java}
> HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> if (clientContext.connection().secure()) {
>   hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> } else {
> {code}
> The trustStrategy must be null in order to keep the default X509TrustManager 
> defined for the default ssl algorithm.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to