[
https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427195#comment-15427195
]
Larry McCay commented on KNOX-733:
----------------------------------
Technically, the Knox CLI has nothing to do with this library. This is a client
shell library and programming model.
Having a cert within the jar is interesting.
It assumes that the application packager is either aware of single server that
it will be connecting to or it is assuming the certs that will be installed on
the server - including hostname. I can't quite get my head around that.
We should try and figure out how to do this.
All else fails and we can pull out the power user approach with its own
httpclient instance.
> Knox shell client is susceptible to man-in-the-middle attack
> -------------------------------------------------------------
>
> Key: KNOX-733
> URL: https://issues.apache.org/jira/browse/KNOX-733
> Project: Apache Knox
> Issue Type: Bug
> Reporter: chris snow
> Assignee: chris snow
>
> The Knox shell client does not verify the certificate of the server.
> One option would be to provide another method where developers can provide
> their own client, e.g.
> public static Hadoop login( String url, String username, String password,
> HttpClient client ) throws URISyntaxException { }
> https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60
> I can provide a patch if you are happy with this approach.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
