[ https://issues.apache.org/jira/browse/CALCITE-1904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16102160#comment-16102160 ]
ASF GitHub Bot commented on CALCITE-1904: ----------------------------------------- GitHub user joshelser opened a pull request: https://github.com/apache/calcite-avatica/pull/12 CALCITE-1904 Allow SSL hostname verification to be turned off You can merge this pull request into a Git repository by running: $ git pull https://github.com/joshelser/calcite-avatica 1904-hostname-verification-configuration Alternatively you can review and apply these changes as the patch at: https://github.com/apache/calcite-avatica/pull/12.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #12 ---- commit fa7f9da0d7e623dadc0daa950cc196668477e5cc Author: Josh Elser <els...@apache.org> Date: 2017-07-26T19:27:20Z [CALCITE-1904] Allow SSL hostname verification to be turned off ---- > Support disabling SSL hostname verification > ------------------------------------------- > > Key: CALCITE-1904 > URL: https://issues.apache.org/jira/browse/CALCITE-1904 > Project: Calcite > Issue Type: Improvement > Components: avatica > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: avatica-1.11.0 > > > Follow-on from CALCITE-1538: > In testing environments, it may be beneficial to disable the standard > hostname verification against SSL certificates: verification that the > CommonName (CN) on the certificate matches the hostname of the server. > Presently, if the CN on the certificate does not match the hostname, the > client will see an error: > {noformat} > java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: Host > name 'host1' does not match the certificate subject provided by the peer > (CN=host2) > at > org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:169) > at > org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:45) > at > org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:81) > at org.apache.calcite.avatica.remote.Driver.connect(Driver.java:176) > at sqlline.DatabaseConnection.connect(DatabaseConnection.java:157) > at > sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:203) > at sqlline.Commands.connect(Commands.java:1064) > at sqlline.Commands.connect(Commands.java:996) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36) > at sqlline.SqlLine.dispatch(SqlLine.java:804) > at sqlline.SqlLine.initArgs(SqlLine.java:588) > at sqlline.SqlLine.begin(SqlLine.java:656) > at sqlline.SqlLine.start(SqlLine.java:398) > at sqlline.SqlLine.main(SqlLine.java:292) > at > org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:88) > at > org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:85) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866) > at > org.apache.phoenix.queryserver.client.SqllineWrapper.main(SqllineWrapper.java:85) > Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does > not match the certificate subject provided by the peer (CN=host2) > at > org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) > at > org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) > at > org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) > at > org.apache.calcite.avatica.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) > at > org.apache.calcite.avatica.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > at > org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > at > org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > at > org.apache.calcite.avatica.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > at > org.apache.calcite.avatica.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) > at > org.apache.calcite.avatica.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) > at > org.apache.calcite.avatica.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) > at > org.apache.calcite.avatica.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.execute(AvaticaCommonsHttpClientImpl.java:177) > at > org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:150) > ... 23 more > {noformat} > Avatica should expose an option to disable the (default) strict hostname > verifier. -- This message was sent by Atlassian JIRA (v6.4.14#64029)