charlesconnell commented on code in PR #5644:
URL: https://github.com/apache/hbase/pull/5644#discussion_r1465412933
##########
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java:
##########
@@ -413,6 +415,19 @@ private void initSSL(ChannelPipeline p, boolean
supportPlaintext)
sslHandler.setWrapDataSize(
conf.getInt(HBASE_SERVER_NETTY_TLS_WRAP_SIZE,
DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE));
+ sslHandler.handshakeFuture().addListener(future -> {
+ try {
+ Certificate[] certificates =
sslHandler.engine().getSession().getPeerCertificates();
+ if (certificates.length > 0) {
+ conn.clientCertificate = (X509Certificate) certificates[0];
+ } else {
Review Comment:
I've changed the interface to use the certificate chain. I'm also logging
when `getNeedClientAuth()` is true but no certificate is found. I don't think
throwing an exception in this listener is any more useful than logging, it
wouldn't block a connection from forming. I also don't necessarily think that
it's the job of this code to verify that connections that require mutual auth
are doing it. Netty is already enforcing that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
