Github user anmolnar commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/184#discussion_r194451677
--- Diff: src/java/main/org/apache/zookeeper/common/ZKTrustManager.java ---
@@ -0,0 +1,144 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zookeeper.common;
+
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * A custom TrustManager that supports hostname verification via
org.apache.http.conn.ssl.DefaultHostnameVerifier.
+ *
+ * We attempt to perform verification using just the IP address first and
if that fails will attempt to perform a
+ * reverse DNS lookup and verify using the hostname.
+ */
+public class ZKTrustManager extends X509ExtendedTrustManager {
+
+ private static final Logger LOG =
LoggerFactory.getLogger(ZKTrustManager.class);
+
+ private X509ExtendedTrustManager x509ExtendedTrustManager;
+ private boolean hostnameVerificationEnabled;
+ private boolean shouldVerifyClientHostname;
+
+ private DefaultHostnameVerifier hostnameVerifier;
+
+ /**
+ * Instantiate a new ZKTrustManager.
+ *
+ * @param x509ExtendedTrustManager The trustmanager to use for
checkClientTrusted/checkServerTrusted logic
+ * @param verifySSLServerHostname If true, this TrustManager should
verify hostnames of servers that this
+ * instance connects to.
+ * @param verifySSLClientHostname If true, and
verifySSLServerHostname is true, the hostname of a client
+ * connecting to this machine will be
verified in addition to the servers that this
+ * instance connects to. If false, and
verifySSLServerHostname is true, only
+ * the hostnames of servers that this
instance connects to will be verified. If
+ * verifySSLServerHostname is false,
this argument is ignored.
+ */
+ public ZKTrustManager(X509ExtendedTrustManager
x509ExtendedTrustManager, boolean verifySSLServerHostname,
+ boolean verifySSLClientHostname) {
+ this.x509ExtendedTrustManager = x509ExtendedTrustManager;
+ this.hostnameVerificationEnabled = verifySSLServerHostname;
+ this.shouldVerifyClientHostname = verifySSLClientHostname;
+
+ hostnameVerifier = new DefaultHostnameVerifier();
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return x509ExtendedTrustManager.getAcceptedIssuers();
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String
authType, Socket socket) throws CertificateException {
+ if (hostnameVerificationEnabled && shouldVerifyClientHostname) {
--- End diff --
Sorry, just noticed your previous comment. Let's see if I understand you
properly:
- keep one configuration property: `hostnameVerificationEnabled`
- set 2 distinct properties on instantiation: if config is enabled, use
original behaviour, if config is disabled, disable both.
I'll give it a try.
---
