Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/9940 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails ...................................................................... KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This previously would not work with KRPC because in TlsContext::VerifyCertChainUnlocked(), we would only verify X509_verify_cert() with the top certificate in the server certificate chain. With this change, we pass the chain to X509_STORE_CTX_init() as well to make sure that the entire chain gets checked against the CA. A test is added that uses the specific certificate format mentioned above and added to rpc-test. TODO: Add a test case that has multiple intermediate CAs. Right now we're testing with only one intermediate CA. Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 Reviewed-on: http://gerrit.cloudera.org:8080/9940 Reviewed-by: Lars Volker <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M be/src/kudu/rpc/rpc-test.cc M be/src/kudu/security/test/test_certs.cc M be/src/kudu/security/test/test_certs.h M be/src/kudu/security/tls_context.cc 4 files changed, 263 insertions(+), 4 deletions(-) Approvals: Lars Volker: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/9940 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 Gerrit-Change-Number: 9940 Gerrit-PatchSet: 2 Gerrit-Owner: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Lars Volker <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]>
