[GitHub] [drill] github-code-scanning[bot] commented on a diff in pull request #2719: DRILL-8370: Upgrade splunk-sdk-java to 1.9.3

Mon, 12 Dec 2022 08:27:45 -0800 


github-code-scanning[bot] commented on code in PR #2719:
URL: https://github.com/apache/drill/pull/2719#discussion_r1046056001


##########
contrib/storage-splunk/src/main/java/org/apache/drill/exec/store/splunk/SplunkConnection.java:
##########
@@ -152,4 +172,45 @@
   public EntityCollection<Index> getIndexes() {
     return service.getIndexes();
   }
+
+  /**
+   * As of version 1.8, Splunk's SDK introduced a boolean parameter which
+   * is supposed to control whether the SDK will validate SSL certificates
+   * or not.  Unfortunately the parameter does not actually seem to have
+   * any effect and the end result is that when making Splunk calls,
+   * Splunk will always attempt to verify the SSL certificates, even when
+   * the parameter is set to false.  This method does what the parameter
+   * is supposed to do in the SDK and adds and all trusting SSL Socket
+   * Factory to the HTTP client in Splunk's SDK.  In the event Splunk
+   * fixes this issue, we can remove this method.
+   *
+   * @return A {@link SSLSocketFactory} which trusts any SSL certificate,
+   *   even ones from Splunk
+   * @throws KeyManagementException Thros
+   */
+  private SSLSocketFactory createAllTrustingSSLFactory() throws 
KeyManagementException {
+    SSLContext context;
+    try {
+      context = SSLContext.getInstance("TLS");
+    } catch (NoSuchAlgorithmException e) {
+      throw UserException.validationError(e)
+        .message("Error establishing SSL connection: Invalid scheme: " + 
e.getMessage())
+        .build(logger);
+    }
+    TrustManager[] trustAll = new TrustManager[]{
+        new X509TrustManager() {
+          public X509Certificate[] getAcceptedIssuers() {
+            return null;
+          }
+          public void checkClientTrusted(X509Certificate[] certs, String 
authType) {
+            // No op
+          }
+          public void checkServerTrusted(X509Certificate[] certs, String 
authType) {
+            // No op
+          }
+        }
+    };
+    context.init(null, trustAll, null);

Review Comment:
   ## `TrustManager` that accepts all certificates
   
   This uses [TrustManager](1), which is defined in [SplunkConnection$](2) and 
trusts any certificate.
   
   [Show more 
details](https://github.com/apache/drill/security/code-scanning/42)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to