bbeaudreault commented on code in PR #5644:
URL: https://github.com/apache/hbase/pull/5644#discussion_r1464030161
##########
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java:
##########
@@ -413,6 +415,19 @@ private void initSSL(ChannelPipeline p, boolean
supportPlaintext)
sslHandler.setWrapDataSize(
conf.getInt(HBASE_SERVER_NETTY_TLS_WRAP_SIZE,
DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE));
+ sslHandler.handshakeFuture().addListener(future -> {
+ try {
+ Certificate[] certificates =
sslHandler.engine().getSession().getPeerCertificates();
+ if (certificates.length > 0) {
+ conn.clientCertificate = (X509Certificate) certificates[0];
+ } else {
Review Comment:
We should inspect the `sslHandler.engine().getNeedClientAuth()` and throw an
exception if no certificate is found here and/or in the exception below. See
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L418-L463
for how zookeeper handles hits.
Another thing I notice in zookeeper is that they set the entire
Certificate[] onto the connection, so that someone can inspect the whole
certificate chain if they want. I think we should probably do that in order to
avoid having to break this interface in the future if someone wants more than
the head of the chain.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
