[jira] [Commented] (ARROW-10105) [FlightRPC] Add client option to disable certificate validation with TLS

Sun, 04 Oct 2020 12:37:17 -0700 


    [ 
https://issues.apache.org/jira/browse/ARROW-10105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17207721#comment-17207721
 ] 

James Duong commented on ARROW-10105:
-------------------------------------

Another problem I'm seeing is that this is appearing in existing C++ TLS tests 
after updating gRPC to 1.29 (this is with no other code changes), though the 
tests still succeed:
https://github.com/apache/arrow/pull/8325/checks?check_run_id=1205585340#step:8:3529
E1004 14:59:52.344787303   12247 ssl_security_connector.cc:263] Handshaker 
factory creation failed with TSI_INVALID_ARGUMENT.
E1004 14:59:52.344849303   12247 server_secure_chttp2.cc:81] 
{"created":"@1601823592.344842403","description":"Unable to create secure 
server with credentials of type 
Ssl","file":"../src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc","file_line":63}

I don't think this was showing up before.

Existing python TLS tests do fail though:
https://github.com/apache/arrow/pull/8325/checks?check_run_id=1205585202#step:8:4378
E1004 14:40:34.743438426    7680 ssl_transport_security.cc:1439] Handshake 
failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number.

I believe the test certificates are using SSL v3, which may be deprecated. I'm 
not sure if these two issues are related (eg, the server fails to properly 
start in C++ due to now SSL v3 deprecation).

> [FlightRPC] Add client option to disable certificate validation with TLS
> ------------------------------------------------------------------------
>
>                 Key: ARROW-10105
>                 URL: https://issues.apache.org/jira/browse/ARROW-10105
>             Project: Apache Arrow
>          Issue Type: New Feature
>          Components: C++, FlightRPC, Java, Python
>            Reporter: James Duong
>            Assignee: James Duong
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.0.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Users of Flight may want to disable certificate validation if they want to 
> only use encryption. A use case might be that the Flight server uses a 
> self-signed certificate and doesn't distribute a certificate for clients to 
> use.
> This feature would be to add an explicit option to FlightClient.Builder to 
> disable certificate validation. Note that this should not happen implicitly 
> if a client uses a TLS location, but does not set a certificate. The client 
> should explicitly set this option so that they are fully aware that they are 
> making a connection with reduced security.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to