@larry
You are right, in the Hadoop class it should be:
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
trustStrategy = null;
} else {
instead of:
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {
The trustStrategy must be null in order to keep the default
X509TrustManager defined for the default ssl algorithm.
My bad...
*Vincent Devillers*
tél.: +33 615053430
email: vincent.devill...@layer4.fr
blog: https://blog.layer4.fr
2017-03-08 18:37 GMT+01:00 larry mccay <lmc...@apache.org>:
> Unfortunately, I have found what I view as a showstopper.
> We had a regression in the knoxshell with respect to requiring proper trust
> of the cert presented by the gateway.
> Somewhere along the line the TrustSelfSignedStrategy was added back and
> self-signed certs now get a free pass.
> This needs to be fixed to protect against MITM attacks, etc.
>
> Here is my -1.
>
>
> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden <compuwizard...@gmail.com>
> wrote:
>
> > +1 (non-binding)
> >
> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 RC
> > * Verified that Knox Solr service definition was able to connect to
> > Kerberized Solr
> > * Verified both API and UI
> > * Verified basic auth through LDAP works
> >
> > Kevin Risden
> >
> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <moresand...@gmail.com>
> > wrote:
> >
> > > Thanks Sumit for setting up the release !
> > >
> > > +1 (binding)
> > >
> > > * Downloaded and built from source (with Java 1.8.0_101)
> > > * Checked LICENSE and NOTICE files
> > > * Verified GPG/MD5/SHA signatures
> > > * Installed pseudo-distributed instance (Mac OS X )
> > > * Ran through knox tests
> > > * Checked websocket functionality
> > > * Checked java script compression (Ambari UI)
> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
> > >
> > > :-) My fist binding vote
> > >
> > > Best,
> > > Sandeep
> > >
> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote:
> > >
> > > > A candidate for the Apache Knox 0.12.0 release is available at:
> > > >
> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
> > > >
> > > > The release candidate is a zip archive of the sources in:
> > > >
> > > > https://git-wip-us.apache.org/repos/asf/knox.git
> > > > Branch v0.12.0 (git checkout -b v0.12.0)
> > > >
> > > > The KEYS file for signature validation is available at:
> > > > https://dist.apache.org/repos/dist/release/knox/KEYS
> > > >
> > > > Please vote on releasing this package as Apache Knox 0.12.0.
> > > > The vote is open for the next 72 hours and passes if a majority of at
> > > > least three +1 Apache Knox PMC votes are cast.
> > > >
> > > > [ ] +1 Release this package as Apache Knox 0.12.0
> > > > [ ] -1 Do not release this package because...
> > > >
> > >
> >
>
