[jira] [Commented] (KNOX-733) Knox shell client is susceptible to man-in-the-middle attack

Tue, 16 Aug 2016 10:02:05 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15423056#comment-15423056
 ] 

Larry McCay commented on KNOX-733:
----------------------------------

Hmmm, it seems to me that we should be making the existing httpclient more 
configurable than exposing that as part of the DSL programming model.

We are currently using the following:

{code}
  private static DefaultHttpClient createClient() throws 
GeneralSecurityException {
    SchemeRegistry registry = new SchemeRegistry();
    SSLSocketFactory socketFactory = new SSLSocketFactory( new 
TrustSelfSignedStrategy(), SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER );
    registry.register( new Scheme( "https", 443, socketFactory ) );
    registry.register( new Scheme( "http", 80, new PlainSocketFactory() ) );
    PoolingClientConnectionManager mgr = new PoolingClientConnectionManager( 
registry );
    DefaultHttpClient client = new DefaultHttpClient( mgr, new 
DefaultHttpClient().getParams() );
    return client;
  }
{code}

Before leaking these details into the programming model we should consider what 
alternatives we have for:

* TrustSelfSignedStrategy
* SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER

We may also need to provide config for where the public cert of the gateway is 
for the client trust.

A good portion of the above is deprecated as well.


>  Knox shell client is susceptible to man-in-the-middle attack
> -------------------------------------------------------------
>
>                 Key: KNOX-733
>                 URL: https://issues.apache.org/jira/browse/KNOX-733
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: chris snow
>
> The Knox shell client does not verify the certificate of the server.  
> One option would be to provide another method where developers can provide 
> their own client, e.g.
> public static Hadoop login( String url, String username, String password, 
> HttpClient client ) throws URISyntaxException { }
> https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60
> I can provide a patch if you are happy with this approach.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to