@larry You are right, in the Hadoop class it should be:
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE; if (clientContext.connection().secure()) { hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier(); trustStrategy = null; } else { instead of: HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE; if (clientContext.connection().secure()) { hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier(); } else { The trustStrategy must be null in order to keep the default X509TrustManager defined for the default ssl algorithm. My bad... *Vincent Devillers* tél.: +33 615053430 email: vincent.devill...@layer4.fr blog: https://blog.layer4.fr 2017-03-08 18:37 GMT+01:00 larry mccay <lmc...@apache.org>: > Unfortunately, I have found what I view as a showstopper. > We had a regression in the knoxshell with respect to requiring proper trust > of the cert presented by the gateway. > Somewhere along the line the TrustSelfSignedStrategy was added back and > self-signed certs now get a free pass. > This needs to be fixed to protect against MITM attacks, etc. > > Here is my -1. > > > On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden <compuwizard...@gmail.com> > wrote: > > > +1 (non-binding) > > > > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 RC > > * Verified that Knox Solr service definition was able to connect to > > Kerberized Solr > > * Verified both API and UI > > * Verified basic auth through LDAP works > > > > Kevin Risden > > > > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <moresand...@gmail.com> > > wrote: > > > > > Thanks Sumit for setting up the release ! > > > > > > +1 (binding) > > > > > > * Downloaded and built from source (with Java 1.8.0_101) > > > * Checked LICENSE and NOTICE files > > > * Verified GPG/MD5/SHA signatures > > > * Installed pseudo-distributed instance (Mac OS X ) > > > * Ran through knox tests > > > * Checked websocket functionality > > > * Checked java script compression (Ambari UI) > > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider' > > > > > > :-) My fist binding vote > > > > > > Best, > > > Sandeep > > > > > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote: > > > > > > > A candidate for the Apache Knox 0.12.0 release is available at: > > > > > > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/ > > > > > > > > The release candidate is a zip archive of the sources in: > > > > > > > > https://git-wip-us.apache.org/repos/asf/knox.git > > > > Branch v0.12.0 (git checkout -b v0.12.0) > > > > > > > > The KEYS file for signature validation is available at: > > > > https://dist.apache.org/repos/dist/release/knox/KEYS > > > > > > > > Please vote on releasing this package as Apache Knox 0.12.0. > > > > The vote is open for the next 72 hours and passes if a majority of at > > > > least three +1 Apache Knox PMC votes are cast. > > > > > > > > [ ] +1 Release this package as Apache Knox 0.12.0 > > > > [ ] -1 Do not release this package because... > > > > > > > > > >