[
https://issues.apache.org/jira/browse/HBASE-27280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bryan Beaudreault updated HBASE-27280:
--------------------------------------
Fix Version/s: 3.0.0-alpha-4
Release Note: By default, when TLS is enabled, we will also enable mutual
authentication of certificates. This means, during handshake, the client will
authenticate the server's certificate (as is usual) and also the server will
authenticate the client's certificate. Additionally, each side will validate
that the hostname presented by the certificate matches the address of the
connection. These default settings can be customized with new properties
"hbase.server.netty.tls.client.auth.mode" (default NEED, possibly values NEED,
WANT, NONE), "hbase.server.netty.tls.verify.client.hostname" (default true),
and "hbase.client.netty.tls.verify.server.hostname" (default true).
Additionally, during hostname verification, if necessary we will fallback on
reverse lookup. The reverse lookup can be disabled via
"hbase.rpc.tls.host-verification.reverse-dns.enabled" (default true)
Resolution: Fixed
Status: Resolved (was: Patch Available)
Thanks for the reviews [~zhangduo] and [~andor]!
> Add mutual authentication support to TLS
> ----------------------------------------
>
> Key: HBASE-27280
> URL: https://issues.apache.org/jira/browse/HBASE-27280
> Project: HBase
> Issue Type: Improvement
> Reporter: Bryan Beaudreault
> Assignee: Bryan Beaudreault
> Priority: Major
> Labels: patch-available, security, ssl, tls
> Fix For: 2.6.0, 3.0.0-alpha-4
>
>
> With HBASE-26666 we now have native TLS on server and client. By default
> clients validate server certificate on handshake. This issue adds server
> authentication of clients. We can also add support for custom rules, such as
> cert CommonName validation.
> I've already got a POC running of this, so assigning to me
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
