Dan Burkert has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/9934 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails ...................................................................... KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This previously would not work with KRPC because in TlsContext::VerifyCertChainUnlocked(), we would only verify X509_verify_cert() with the top certificate in the server certificate chain. With this change, we pass the chain to X509_STORE_CTX_init() as well to make sure that the entire chain gets checked against the CA. A test is added that uses the specific certificate format mentioned above and added to rpc-test. TODO: Add a test case that has multiple intermediate CAs. Right now we're testing with only one intermediate CA. Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 Reviewed-on: http://gerrit.cloudera.org:8080/9934 Reviewed-by: Sailesh Mukil <sail...@cloudera.com> Reviewed-by: Dan Burkert <danburk...@apache.org> Tested-by: Dan Burkert <danburk...@apache.org> --- M src/kudu/rpc/rpc-test.cc M src/kudu/security/test/test_certs.cc M src/kudu/security/test/test_certs.h M src/kudu/security/tls_context.cc 4 files changed, 263 insertions(+), 4 deletions(-) Approvals: Sailesh Mukil: Looks good to me, approved Dan Burkert: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/9934 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 Gerrit-Change-Number: 9934 Gerrit-PatchSet: 5 Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Lars Volker <l...@cloudera.com> Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com>