We should default the variable to null and only set it conditionally. This will allow us to fail securely rather than insecurely.
This may have been introduced when I had to merge the knoxtoken branch into that change. It was a troublesome merge as I recall. On Wed, Mar 8, 2017 at 1:53 PM, Sumit Gupta <sumit.gu...@hortonworks.com> wrote: > As per the discussion below the VOTE for release is being cancelled. > > Sumit. > > On 3/8/17, 1:51 PM, "Sumit Gupta" <sumit.gu...@hortonworks.com> wrote: > > >Thanks for the catch Larry and Vincent. This may have been a merge issue > >on my part as well. In any case I agree that the release cannot go out > >with this bug. My vote is also -1. I¹ll cancel the vote and file a JIRA > >for the issue to be fixed. > > > >Thanks everyone for testing the RC and stay tuned for the next one. > > > >Sumit. > > > > > >On 3/8/17, 1:19 PM, "Vincent Devillers" <vincent.devill...@layer4.fr> > >wrote: > > > >>@larry > >> > >>You are right, in the Hadoop class it should be: > >> > >>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; > >>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE; > >>if (clientContext.connection().secure()) { > >> hostnameVerifier = > >>SSLConnectionSocketFactory.getDefaultHostnameVerifier(); > >> trustStrategy = null; > >>} else { > >> > >>instead of: > >> > >>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; > >>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE; > >>if (clientContext.connection().secure()) { > >> hostnameVerifier = > >>SSLConnectionSocketFactory.getDefaultHostnameVerifier(); > >>} else { > >> > >> > >>The trustStrategy must be null in order to keep the default > >>X509TrustManager defined for the default ssl algorithm. > >>My bad... > >> > >>*Vincent Devillers* > >> > >>tél.: +33 615053430 > >>email: vincent.devill...@layer4.fr > >>blog: https://blog.layer4.fr > >> > >>2017-03-08 18:37 GMT+01:00 larry mccay <lmc...@apache.org>: > >> > >>> Unfortunately, I have found what I view as a showstopper. > >>> We had a regression in the knoxshell with respect to requiring proper > >>>trust > >>> of the cert presented by the gateway. > >>> Somewhere along the line the TrustSelfSignedStrategy was added back and > >>> self-signed certs now get a free pass. > >>> This needs to be fixed to protect against MITM attacks, etc. > >>> > >>> Here is my -1. > >>> > >>> > >>> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden > >>><compuwizard...@gmail.com> > >>> wrote: > >>> > >>> > +1 (non-binding) > >>> > > >>> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 > >>>RC > >>> > * Verified that Knox Solr service definition was able to connect to > >>> > Kerberized Solr > >>> > * Verified both API and UI > >>> > * Verified basic auth through LDAP works > >>> > > >>> > Kevin Risden > >>> > > >>> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <moresand...@gmail.com> > >>> > wrote: > >>> > > >>> > > Thanks Sumit for setting up the release ! > >>> > > > >>> > > +1 (binding) > >>> > > > >>> > > * Downloaded and built from source (with Java 1.8.0_101) > >>> > > * Checked LICENSE and NOTICE files > >>> > > * Verified GPG/MD5/SHA signatures > >>> > > * Installed pseudo-distributed instance (Mac OS X ) > >>> > > * Ran through knox tests > >>> > > * Checked websocket functionality > >>> > > * Checked java script compression (Ambari UI) > >>> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider' > >>> > > > >>> > > :-) My fist binding vote > >>> > > > >>> > > Best, > >>> > > Sandeep > >>> > > > >>> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> > >>>wrote: > >>> > > > >>> > > > A candidate for the Apache Knox 0.12.0 release is available at: > >>> > > > > >>> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/ > >>> > > > > >>> > > > The release candidate is a zip archive of the sources in: > >>> > > > > >>> > > > https://git-wip-us.apache.org/repos/asf/knox.git > >>> > > > Branch v0.12.0 (git checkout -b v0.12.0) > >>> > > > > >>> > > > The KEYS file for signature validation is available at: > >>> > > > https://dist.apache.org/repos/dist/release/knox/KEYS > >>> > > > > >>> > > > Please vote on releasing this package as Apache Knox 0.12.0. > >>> > > > The vote is open for the next 72 hours and passes if a majority > >>>of at > >>> > > > least three +1 Apache Knox PMC votes are cast. > >>> > > > > >>> > > > [ ] +1 Release this package as Apache Knox 0.12.0 > >>> > > > [ ] -1 Do not release this package because... > >>> > > > > >>> > > > >>> > > >>> > > > > > >