[
https://issues.apache.org/jira/browse/DRILL-6581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16539351#comment-16539351
]
ASF GitHub Bot commented on DRILL-6581:
---------------------------------------
sohami commented on a change in pull request #1366: [DRILL-6581] C++ Client SSL
Implementation Fixes/Improvements
URL: https://github.com/apache/drill/pull/1366#discussion_r201519782
##########
File path: contrib/native/client/src/clientlib/channel.hpp
##########
@@ -215,6 +287,52 @@ class UserProperties;
static ChannelContext_t* getChannelContext(channelType_t t,
DrillUserProperties* props);
};
+ /// @brief Hostname verification callback wrapper.
+ class DrillSSLHostnameVerifier{
+ public:
+ /// @brief The constructor.
+ ///
+ /// @param in_channel The Channel.
+ DrillSSLHostnameVerifier(Channel* in_channel) :
m_channel(in_channel){
+ DRILL_LOG(LOG_INFO)
+ << "DrillSSLHostnameVerifier::DrillSSLHostnameVerifier:
+++++ Enter +++++"
+ << std::endl;
+ }
+
+ /// @brief Perform certificate verification.
+ ///
+ /// @param in_preverified Pre-verified indicator.
+ /// @param in_ctx Verify context.
+ bool operator()(
+ bool in_preverified,
+ boost::asio::ssl::verify_context& in_ctx){
+ DRILL_LOG(LOG_INFO) << "DrillSSLHostnameVerifier::operator():
+++++ Enter +++++" << std::endl;
+
+ // Gets the channel context.
+ SSLChannelContext_t* context =
(SSLChannelContext_t*)(m_channel->getChannelContext());
+
+ // Retrieve the host before we perform Host name verification.
+ // This is because host with ZK mode is selected after the
connect() function is called.
+ boost::asio::ssl::rfc2818_verification
verifier(m_channel->getEndpoint()->getHost().c_str());
+
+ // Perform verification.
+ bool verified = verifier(in_preverified, in_ctx);
+
+ DRILL_LOG(LOG_DEBUG)
+ << "DrillSSLHostnameVerifier::operator(): Verification
Result: "
+ << verified
+ << std::endl;
+
+ // Sets the result back to the context.
+ context->SetCertHostnameVerificationStatus(verified);
+ return verified && in_preverified;
Review comment:
I think we should just return the `verified` status here not `(verified &&
in_preverified)`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Improve C++ Client SSL Implementation
> -------------------------------------
>
> Key: DRILL-6581
> URL: https://issues.apache.org/jira/browse/DRILL-6581
> Project: Apache Drill
> Issue Type: Improvement
> Components: Client - C++
> Affects Versions: 1.12.0
> Reporter: Rob Wu
> Assignee: Rob Wu
> Priority: Major
> Fix For: 1.14.0
>
>
> # Fix: Hostname verification doesnt function as expected: Host and port in
> the ssl hostname verification callback is always empty.
> # Fix: Certificate load verification exceptions are swallowed and not
> propagated.
> # Improvement: SSL V3 is not disabled.
> # Improvement: Hostname verification failure exception is the same as other
> certificate verification failures, we should separate them
> # Improvement: Create individual error messages to allow error handling of
> the application using the client and follows the standard of the rest of the
> errors
> # Improvement: Add SSL Hostname verification with zookeeper connection mode
> support
> # Added support for custom SSL CTX Options
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
