YYTVicky commented on issue #11008: Update comment to tell user this is not secure URL: https://github.com/apache/beam/pull/11008#issuecomment-606099826 > I filled https://issues.apache.org/jira/browse/BEAM-9564 to remove this risky option since it seems we agree on this. I will open a PR for this soon. > I am going to close this ticket. Thanks for bringing awareness on this issue @YYTVicky Sorry for the late reply. The point I want to raise here is that maybe we can leave a template on the comment to help the user to implement it when using it (e.g.add the checking code on check-client trusted or checkservertrusted). A unified TLSv1.2 connection will be better since recent research showed that TLSv1.1 had a security issue. A workable template would like: ` new X509TrustManager(){ @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { for (final X509TrustManager trustManager : trustManagers) { try { trustManager.checkClientTrusted(chain, authType); return; } catch (final CertificateException e) { //LOGGER.debug(e.getMessage(), e); } } throw new CertificateException("None of the TrustManagers trust this certificate chain"); } @Override public X509Certificate[] getAcceptedIssuers() { for (final X509TrustManager trustManager : trustManagers) { final List<X509Certificate> list = Arrays.asList(trustManager.getAcceptedIssuers()); certificates.addAll(list); } return certificates.toArray(new X509Certificate[] {}); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{ if (chain == null) { throw new IllegalArgumentException("checkServerTrusted:x509Certificate array isnull"); } if (!(chain.length > 0)) { throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty"); } if (!(null != authType && authType.equalsIgnoreCase("RSA"))) { throw new CertificateException("checkServerTrusted: AuthType is not RSA"); } try { TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init((KeyStore) null); for (TrustManager trustManager : tmf.getTrustManagers()) { ((X509TrustManager) trustManager).checkServerTrusted(chain, authType); } } catch (Exception e) { throw new CertificateException(e); } RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey(); String encoded = new BigInteger(1 , pubkey.getEncoded()).toString(16); final boolean expected = PUB_KEY.equalsIgnoreCase(encoded); if (!expected) { throw new CertificateException("checkServerTrusted: Expected public key: " + PUB_KEY + ", got public key:" + encoded); } } }; `
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
