fapifta commented on PR #4442: URL: https://github.com/apache/ozone/pull/4442#issuecomment-1482105701
Hi @ChenSammi, thank you for working on this piece, and for the discussion we had on this. So my understanding after our discussion is that there is a problem with the TLS authentication, and that is because the validity of the certificate provided by an other party can not be verified properly. As we discussed the original intent with introducing certificate bundles was to simplify the trust setup, the idea is that we have just only the rootCA certificate in the TrustStores, with that we provide a certificate bundle for every service that contains the certificate chain up until the rootCA. With that the KeyStore will be initialized with the chain of certificates up to the rootCA, and during connection setup, we provide this chain to the other party, so it will be able to verify the certificate validity up to our trust anchor the rootCA which it has in its TrustStore. Your patch brings back the old way, where the TrustStore contains all the sub-CA certificates and the rootCA certificate, which in turn solves the problem but it conflicts with the intentions of the change to use a certificate bundle. As we discussed the problem is that the ReloadingX509KeyManager#loadKeyManager method just gets the actual service's certificate and not the certificate bundle as it is, when it loads its own certificate and key material to the KeyStore to be used with the connection. Hence the chain is not send properly during setting up the connection, and that is why the other party can not verify the certificate against only the rootCA certificate in the TrustStore. So the solution for the problem should be to load the whole bundle file in the KeyStore, and I believe that should solve the problem you face and would like to solve here. Can you please check out this approach and let me know if my understanding and the proposed solution is working, and then update this PR or create a new one? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
