Github user anmolnar commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/184#discussion_r194365379 --- Diff: src/java/main/org/apache/zookeeper/common/ZKTrustManager.java --- @@ -0,0 +1,144 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.zookeeper.common; + +import org.apache.http.conn.ssl.DefaultHostnameVerifier; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLException; +import javax.net.ssl.X509ExtendedTrustManager; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +/** + * A custom TrustManager that supports hostname verification via org.apache.http.conn.ssl.DefaultHostnameVerifier. + * + * We attempt to perform verification using just the IP address first and if that fails will attempt to perform a + * reverse DNS lookup and verify using the hostname. + */ +public class ZKTrustManager extends X509ExtendedTrustManager { + + private static final Logger LOG = LoggerFactory.getLogger(ZKTrustManager.class); + + private X509ExtendedTrustManager x509ExtendedTrustManager; + private boolean hostnameVerificationEnabled; + private boolean shouldVerifyClientHostname; + + private DefaultHostnameVerifier hostnameVerifier; + + /** + * Instantiate a new ZKTrustManager. + * + * @param x509ExtendedTrustManager The trustmanager to use for checkClientTrusted/checkServerTrusted logic + * @param verifySSLServerHostname If true, this TrustManager should verify hostnames of servers that this + * instance connects to. + * @param verifySSLClientHostname If true, and verifySSLServerHostname is true, the hostname of a client + * connecting to this machine will be verified in addition to the servers that this + * instance connects to. If false, and verifySSLServerHostname is true, only + * the hostnames of servers that this instance connects to will be verified. If + * verifySSLServerHostname is false, this argument is ignored. + */ + public ZKTrustManager(X509ExtendedTrustManager x509ExtendedTrustManager, boolean verifySSLServerHostname, + boolean verifySSLClientHostname) { + this.x509ExtendedTrustManager = x509ExtendedTrustManager; + this.hostnameVerificationEnabled = verifySSLServerHostname; + this.shouldVerifyClientHostname = verifySSLClientHostname; + + hostnameVerifier = new DefaultHostnameVerifier(); + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return x509ExtendedTrustManager.getAcceptedIssuers(); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + if (hostnameVerificationEnabled && shouldVerifyClientHostname) { + performHostVerification(socket.getInetAddress(), chain[0]); + } + x509ExtendedTrustManager.checkClientTrusted(chain, authType, socket); --- End diff -- Makes sense, I'll do the change.
---