[ https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15423056#comment-15423056 ]
Larry McCay commented on KNOX-733: ---------------------------------- Hmmm, it seems to me that we should be making the existing httpclient more configurable than exposing that as part of the DSL programming model. We are currently using the following: {code} private static DefaultHttpClient createClient() throws GeneralSecurityException { SchemeRegistry registry = new SchemeRegistry(); SSLSocketFactory socketFactory = new SSLSocketFactory( new TrustSelfSignedStrategy(), SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER ); registry.register( new Scheme( "https", 443, socketFactory ) ); registry.register( new Scheme( "http", 80, new PlainSocketFactory() ) ); PoolingClientConnectionManager mgr = new PoolingClientConnectionManager( registry ); DefaultHttpClient client = new DefaultHttpClient( mgr, new DefaultHttpClient().getParams() ); return client; } {code} Before leaking these details into the programming model we should consider what alternatives we have for: * TrustSelfSignedStrategy * SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER We may also need to provide config for where the public cert of the gateway is for the client trust. A good portion of the above is deprecated as well. > Knox shell client is susceptible to man-in-the-middle attack > ------------------------------------------------------------- > > Key: KNOX-733 > URL: https://issues.apache.org/jira/browse/KNOX-733 > Project: Apache Knox > Issue Type: Bug > Reporter: chris snow > > The Knox shell client does not verify the certificate of the server. > One option would be to provide another method where developers can provide > their own client, e.g. > public static Hadoop login( String url, String username, String password, > HttpClient client ) throws URISyntaxException { } > https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60 > I can provide a patch if you are happy with this approach. -- This message was sent by Atlassian JIRA (v6.3.4#6332)