[
https://issues.apache.org/jira/browse/KNOX-1111?focusedWorklogId=213820&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-213820
]
ASF GitHub Bot logged work on KNOX-1111:
----------------------------------------
Author: ASF GitHub Bot
Created on: 15/Mar/19 15:13
Start Date: 15/Mar/19 15:13
Worklog Time Spent: 10m
Work Description: rlevas commented on pull request #74: KNOX-1111 - 2-way
SSL Truststore and Keystore Improvements
URL: https://github.com/apache/knox/pull/74#discussion_r266024463
##########
File path:
gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/DefaultHttpClientFactory.java
##########
@@ -76,28 +77,14 @@ public HttpClient createHttpClient(FilterConfig
filterConfig) {
} else {
builder = HttpClients.custom();
}
- if (Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"))) {
- AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
- KeystoreService ks =
services.getService(GatewayServices.KEYSTORE_SERVICE);
- final SSLContext sslcontext;
- try {
- KeyStore identityKeystore = ks.getKeystoreForGateway();
- char[] identityKeyPassphrase = as.getGatewayIdentityPassphrase();
- // The trustKeystore will be the same as the identityKeystore if a
truststore was not explicitly
- // configured in gateway-site (gateway.truststore.password.alias,
gateway.truststore.path, gateway.truststore.type)
- // This was the behavior before KNOX-1812
- KeyStore trustKeystore = ks.getTruststoreForHttpClient();
-
- sslcontext = SSLContexts.custom()
- .loadTrustMaterial(trustKeystore, new TrustSelfSignedStrategy())
- .loadKeyMaterial(identityKeystore, identityKeyPassphrase)
- .build();
- } catch (Exception e) {
- throw new IllegalArgumentException("Unable to create SSLContext", e);
- }
- builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext));
+ // Conditionally set a custom SSLContext
+ boolean useTwoWaySsl =
Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"));
+ SSLContext sslContext = createSSLContext(services, useTwoWaySsl);
Review comment:
Sure... I can do that.
But if we need to make changes to `createSSLContext` in the future, changing
the args to passing the filterConfig could be done then. `createSSLContext` is
basically a private method, so changing its signature later should be a minor
task. If `createSSLContext` was part of an interface (or just public) that may
be another story.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 213820)
Time Spent: 0.5h (was: 20m)
> 2-way SSL Truststore and Keystore Improvements
> ----------------------------------------------
>
> Key: KNOX-1111
> URL: https://issues.apache.org/jira/browse/KNOX-1111
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Robert Levas
> Priority: Major
> Fix For: 1.3.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently, the DefaultHttpClientFactory is setting the 2-way SSL for
> dispatches truststore as gateway.jks. This should be driven by configuration
> and probably default to cacerts rather than gateway.jks.
> The client cert alias inside the keystore should be configurable as well so
> that we can possibly have different certs representing different topologies.
> In addition, the keystore to host the client certs should be configurable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
