[GitHub] [knox] risdenk commented on a change in pull request #74: KNOX-1111 - 2-way SSL Truststore and Keystore Improvements

Fri, 15 Mar 2019 07:05:52 -0700 

risdenk commented on a change in pull request #74: KNOX-1111 - 2-way SSL 
Truststore and Keystore Improvements
URL: https://github.com/apache/knox/pull/74#discussion_r265993352
 
 

 ##########
 File path: 
gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/DefaultHttpClientFactory.java
 ##########
 @@ -76,28 +77,14 @@ public HttpClient createHttpClient(FilterConfig 
filterConfig) {
     } else {
       builder = HttpClients.custom();
     }
-    if (Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"))) {
-      AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
-      KeystoreService ks = 
services.getService(GatewayServices.KEYSTORE_SERVICE);
-      final SSLContext sslcontext;
-      try {
-        KeyStore identityKeystore = ks.getKeystoreForGateway();
-        char[] identityKeyPassphrase = as.getGatewayIdentityPassphrase();
 
-        // The trustKeystore will be the same as the identityKeystore if a 
truststore was not explicitly
-        // configured in gateway-site (gateway.truststore.password.alias, 
gateway.truststore.path, gateway.truststore.type)
-        // This was the behavior before KNOX-1812
-        KeyStore trustKeystore = ks.getTruststoreForHttpClient();
-
-        sslcontext = SSLContexts.custom()
-            .loadTrustMaterial(trustKeystore, new TrustSelfSignedStrategy())
-            .loadKeyMaterial(identityKeystore, identityKeyPassphrase)
-            .build();
-      } catch (Exception e) {
-        throw new IllegalArgumentException("Unable to create SSLContext", e);
-      }
-      builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext));
+    // Conditionally set a custom SSLContext
+    boolean useTwoWaySsl = 
Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"));
+    SSLContext sslContext = createSSLContext(services, useTwoWaySsl);
 
 Review comment:
   So to be more "future proof", can we send in the filterConfig and move the 
boolean into the createSSLContext? This way we can use other filterconfig items 
later if needed to configure the SSLContext

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to