[jira] [Commented] (ARROW-10105) [FlightRPC] Add client option to disable certificate validation with TLS

Sun, 04 Oct 2020 17:45:18 -0700 


    [ 
https://issues.apache.org/jira/browse/ARROW-10105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17207796#comment-17207796
 ] 

James Duong commented on ARROW-10105:
-------------------------------------

Thanks [~lidavidm], that seems to have helped with the failures in existing 
tests.

For the CentOS 5.11 build I will look into explicitly removing the gRPC 
included with the OS.

The newly-added tests for Python and C++ are failing. The TlsCredentials 
interface seems to require passing in a root PEM, whereas SslCredentials has 
will use a default if it's not supplied. It either uses a file based on an 
environment variable, or uses a CA cert supplied by gRPC's installation 
process. I don't see a way to access the latter though. It's in a non-exposed 
class: 
https://github.com/grpc/grpc/blob/ff8ceb700e8a53ed4087edc006830da372b1199a/src/core/lib/security/security_connector/ssl_utils.cc#L525

I'll continue digging to see if there's a way to get to this path, but we may 
need to supply our own CA certs file. The content of the root certificate 
really shouldn't actually matter since this feature is to disable server 
verification. It would matter if we change TLS in general to use TlsCredentials.

> [FlightRPC] Add client option to disable certificate validation with TLS
> ------------------------------------------------------------------------
>
>                 Key: ARROW-10105
>                 URL: https://issues.apache.org/jira/browse/ARROW-10105
>             Project: Apache Arrow
>          Issue Type: New Feature
>          Components: C++, FlightRPC, Java, Python
>            Reporter: James Duong
>            Assignee: James Duong
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.0.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Users of Flight may want to disable certificate validation if they want to 
> only use encryption. A use case might be that the Flight server uses a 
> self-signed certificate and doesn't distribute a certificate for clients to 
> use.
> This feature would be to add an explicit option to FlightClient.Builder to 
> disable certificate validation. Note that this should not happen implicitly 
> if a client uses a TLS location, but does not set a certificate. The client 
> should explicitly set this option so that they are fully aware that they are 
> making a connection with reduced security.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to