Sailesh Mukil has uploaded this change for review. ( http://gerrit.cloudera.org:8080/9934
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails ...................................................................... KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This previously would not work with KRPC because in TlsContext::VerifyCertChainUnlocked(), we would only verify X509_verify_cert() with the top certificate in the server certificate chain. With this change, we iterate through the chain and try to verify each certificate with the CA. A test is added that uses the specific certificate format mentioned above and added to rpc-test. P.S: A majority of the change is testing related and the core code change is pretty small. Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 --- M src/kudu/rpc/rpc-test.cc M src/kudu/security/cert.cc M src/kudu/security/cert.h M src/kudu/security/test/test_certs.cc M src/kudu/security/test/test_certs.h M src/kudu/security/tls_context.cc 6 files changed, 280 insertions(+), 4 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/34/9934/1 -- To view, visit http://gerrit.cloudera.org:8080/9934 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 Gerrit-Change-Number: 9934 Gerrit-PatchSet: 1 Gerrit-Owner: Sailesh Mukil <[email protected]>
