[jira] [Created] (CALCITE-1904) Support disabling SSL hostname verification

Wed, 26 Jul 2017 11:13:38 -0700 

Josh Elser created CALCITE-1904:
-----------------------------------

             Summary: Support disabling SSL hostname verification
                 Key: CALCITE-1904
                 URL: https://issues.apache.org/jira/browse/CALCITE-1904
             Project: Calcite
          Issue Type: Improvement
          Components: avatica
            Reporter: Josh Elser
            Assignee: Josh Elser
             Fix For: avatica-1.11.0


Follow-on from CALCITE-1538:

In testing environments, it may be beneficial to disable the standard hostname 
verification against SSL certificates: verification that the CommonName (CN) on 
the certificate matches the hostname of the server. Presently, if the CN on the 
certificate does not match the hostname, the client will see an error:

{noformat}
java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: Host name 
'host1' does not match the certificate subject provided by the peer (CN=host2)
        at 
org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:169)
        at 
org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:45)
        at 
org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:81)
        at org.apache.calcite.avatica.remote.Driver.connect(Driver.java:176)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:157)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:203)
        at sqlline.Commands.connect(Commands.java:1064)
        at sqlline.Commands.connect(Commands.java:996)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:804)
        at sqlline.SqlLine.initArgs(SqlLine.java:588)
        at sqlline.SqlLine.begin(SqlLine.java:656)
        at sqlline.SqlLine.start(SqlLine.java:398)
        at sqlline.SqlLine.main(SqlLine.java:292)
        at 
org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:88)
        at 
org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:85)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
        at 
org.apache.phoenix.queryserver.client.SqllineWrapper.main(SqllineWrapper.java:85)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does not 
match the certificate subject provided by the peer (CN=host2)
        at 
org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
        at 
org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
        at 
org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
        at 
org.apache.calcite.avatica.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
        at 
org.apache.calcite.avatica.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
        at 
org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
        at 
org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at 
org.apache.calcite.avatica.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at 
org.apache.calcite.avatica.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at 
org.apache.calcite.avatica.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at 
org.apache.calcite.avatica.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        at 
org.apache.calcite.avatica.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at 
org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.execute(AvaticaCommonsHttpClientImpl.java:177)
        at 
org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:150)
        ... 23 more
{noformat}

Avatica should expose an option to disable the (default) strict hostname 
verifier.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to