[
https://issues.apache.org/jira/browse/CALCITE-1904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16102160#comment-16102160
]
ASF GitHub Bot commented on CALCITE-1904:
-----------------------------------------
GitHub user joshelser opened a pull request:
https://github.com/apache/calcite-avatica/pull/12
CALCITE-1904 Allow SSL hostname verification to be turned off
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/joshelser/calcite-avatica
1904-hostname-verification-configuration
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/calcite-avatica/pull/12.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #12
----
commit fa7f9da0d7e623dadc0daa950cc196668477e5cc
Author: Josh Elser <els...@apache.org>
Date: 2017-07-26T19:27:20Z
[CALCITE-1904] Allow SSL hostname verification to be turned off
----
> Support disabling SSL hostname verification
> -------------------------------------------
>
> Key: CALCITE-1904
> URL: https://issues.apache.org/jira/browse/CALCITE-1904
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: avatica-1.11.0
>
>
> Follow-on from CALCITE-1538:
> In testing environments, it may be beneficial to disable the standard
> hostname verification against SSL certificates: verification that the
> CommonName (CN) on the certificate matches the hostname of the server.
> Presently, if the CN on the certificate does not match the hostname, the
> client will see an error:
> {noformat}
> java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: Host
> name 'host1' does not match the certificate subject provided by the peer
> (CN=host2)
> at
> org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:169)
> at
> org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:45)
> at
> org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:81)
> at org.apache.calcite.avatica.remote.Driver.connect(Driver.java:176)
> at sqlline.DatabaseConnection.connect(DatabaseConnection.java:157)
> at
> sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:203)
> at sqlline.Commands.connect(Commands.java:1064)
> at sqlline.Commands.connect(Commands.java:996)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
> at sqlline.SqlLine.dispatch(SqlLine.java:804)
> at sqlline.SqlLine.initArgs(SqlLine.java:588)
> at sqlline.SqlLine.begin(SqlLine.java:656)
> at sqlline.SqlLine.start(SqlLine.java:398)
> at sqlline.SqlLine.main(SqlLine.java:292)
> at
> org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:88)
> at
> org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:85)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
> at
> org.apache.phoenix.queryserver.client.SqllineWrapper.main(SqllineWrapper.java:85)
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does
> not match the certificate subject provided by the peer (CN=host2)
> at
> org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
> at
> org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
> at
> org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> at
> org.apache.calcite.avatica.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
> at
> org.apache.calcite.avatica.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
> org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
> org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.calcite.avatica.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at
> org.apache.calcite.avatica.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.calcite.avatica.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
> org.apache.calcite.avatica.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
> org.apache.calcite.avatica.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.execute(AvaticaCommonsHttpClientImpl.java:177)
> at
> org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:150)
> ... 23 more
> {noformat}
> Avatica should expose an option to disable the (default) strict hostname
> verifier.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
