kishorekasi commented on a change in pull request #1678: Issue ##1333: TLS
handshake failure on certificate expiry
URL: https://github.com/apache/bookkeeper/pull/1678#discussion_r218618746
##########
File path:
bookkeeper-server/src/main/java/org/apache/bookkeeper/tls/TLSContextFactory.java
##########
@@ -290,28 +253,46 @@ private void createServerContext(AbstractConfiguration
conf) throws SecurityExce
}
if
(!Strings.isNullOrEmpty(serverConf.getTLSKeyStorePasswordPath())) {
- keyPassword =
getPasswordFromFile(serverConf.getTLSKeyStorePasswordPath());
+ keyPassword =
TLSUtils.getPasswordFromFile(serverConf.getTLSKeyStorePasswordPath());
} else {
keyPassword = null;
}
- sslContextBuilder = SslContextBuilder
- .forServer(new
File(serverConf.getTLSCertificatePath()),
- new File(serverConf.getTLSKeyStore()), keyPassword)
- .ciphers(null)
- .sessionCacheSize(0)
- .sessionTimeout(0)
- .sslProvider(provider)
- .startTls(true);
+ X509Certificate certificate =
TLSUtils.getCertificate(serverConf.getTLSCertificatePath());
+ PrivateKey privateKey =
TLSUtils.getPrivateKey(serverConf.getTLSKeyStore(), keyPassword);
+
+ if (LOG.isInfoEnabled()) {
+ LOG.info("Using Credentials: {}",
TLSUtils.prettyPrintCertChain(certificate));
+ }
+
+ try {
+ if (!TLSUtils.verifyRSAKeyAndCertificateMatch(certificate,
privateKey)) {
+ throw new SecurityException("Key and Certificate do not
match");
+ }
+ } catch (IllegalArgumentException | NoSuchAlgorithmException e) {
+ throw new SecurityException("Failed to match Key with
Certificate", e);
+ }
+
+ sslContextBuilder = SslContextBuilder.forServer(privateKey,
certificate)
+ .ciphers(null)
Review comment:
Yeah, thats redundant. I will remove it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
