[jira] [Commented] (CALCITE-1904) Support disabling SSL hostname verification

Wed, 26 Jul 2017 16:47:20 -0700 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16102481#comment-16102481
 ] 

ASF GitHub Bot commented on CALCITE-1904:
-----------------------------------------

Github user julianhyde commented on the issue:

    https://github.com/apache/calcite-avatica/pull/12
  
    +1
    
    It's cosmetic, but I'd shorten 
`SslCertificateHostnameVerificationConfigurable` to say 
`HostnameVerificationConfigurable` to avoid very long lines.


> Support disabling SSL hostname verification
> -------------------------------------------
>
>                 Key: CALCITE-1904
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1904
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: avatica-1.11.0
>
>
> Follow-on from CALCITE-1538:
> In testing environments, it may be beneficial to disable the standard 
> hostname verification against SSL certificates: verification that the 
> CommonName (CN) on the certificate matches the hostname of the server. 
> Presently, if the CN on the certificate does not match the hostname, the 
> client will see an error:
> {noformat}
> java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: Host 
> name 'host1' does not match the certificate subject provided by the peer 
> (CN=host2)
>         at 
> org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:169)
>         at 
> org.apache.calcite.avatica.remote.RemoteProtobufService._apply(RemoteProtobufService.java:45)
>         at 
> org.apache.calcite.avatica.remote.ProtobufService.apply(ProtobufService.java:81)
>         at org.apache.calcite.avatica.remote.Driver.connect(Driver.java:176)
>         at sqlline.DatabaseConnection.connect(DatabaseConnection.java:157)
>         at 
> sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:203)
>         at sqlline.Commands.connect(Commands.java:1064)
>         at sqlline.Commands.connect(Commands.java:996)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at 
> sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
>         at sqlline.SqlLine.dispatch(SqlLine.java:804)
>         at sqlline.SqlLine.initArgs(SqlLine.java:588)
>         at sqlline.SqlLine.begin(SqlLine.java:656)
>         at sqlline.SqlLine.start(SqlLine.java:398)
>         at sqlline.SqlLine.main(SqlLine.java:292)
>         at 
> org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:88)
>         at 
> org.apache.phoenix.queryserver.client.SqllineWrapper$1.run(SqllineWrapper.java:85)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:422)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
>         at 
> org.apache.phoenix.queryserver.client.SqllineWrapper.main(SqllineWrapper.java:85)
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'host1' does 
> not match the certificate subject provided by the peer (CN=host2)
>         at 
> org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
>         at 
> org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
>         at 
> org.apache.calcite.avatica.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
>         at 
> org.apache.calcite.avatica.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>         at 
> org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.execute(AvaticaCommonsHttpClientImpl.java:177)
>         at 
> org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientImpl.send(AvaticaCommonsHttpClientImpl.java:150)
>         ... 23 more
> {noformat}
> Avatica should expose an option to disable the (default) strict hostname 
> verifier.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to