-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow custom TLS cert checks #6432
Conversation
be8dd4e
to
f67b64d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM 🤘
@Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD}) | ||
@Retention(RetentionPolicy.RUNTIME) | ||
@BindingAnnotation | ||
public @interface Server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem to be used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, removed the unused annotation
customCertCheckRouterUrl = props.get("router_no_client_auth_url"); | ||
if (customCertCheckRouterUrl == null) { | ||
String customCertCheckRouterHost = props.get("router_no_client_auth_host"); | ||
if (null != customCertCheckRouterHost) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: i find this kind of jarring since outer is var == null
and then inside it's flipped to null != var
, but I don't think it's a big deal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, it follows the convention for the other nodes in that file, i'll leave this unchanged in this PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
TeamCity failures seem unrelated |
d0521d5
to
e4515cd
Compare
fixed conflicts |
customCertCheckRouterUrl = props.get("router_no_client_auth_url"); | ||
if (customCertCheckRouterUrl == null) { | ||
String customCertCheckRouterHost = props.get("router_no_client_auth_host"); | ||
if (null != customCertCheckRouterHost) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
TrustManager[] newTrustManagers = new TrustManager[trustManagers.length]; | ||
|
||
for (int i = 0; i < trustManagers.length; i++) { | ||
if (trustManagers[i] instanceof X509ExtendedTrustManager) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be harmful to just leave non X509ExtendedTrustManager
implementations in this list with an else
that doesn't wrap them in the CustomCheckX509TrustManager
and just adds them to newTrustManagers
as is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this to preserve non-X509ExtendedTrustManager objects and log their presence
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with a nit.
|
||
|Property|Description|Default|Required| | ||
|--------|-----------|-------|--------| | ||
|`druid.tls.certificateChecker`|Type name of custom TLS certificate checker, provided by extensions.|"default"|no| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this supposed to be the canonical class name of the custom checker? I think it would be better to clarify it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some clarification here
0efb910
to
3f09821
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🤘
* Allow custom TLS cert checks * PR comment * Checkstyle, PR comment
* Allow custom TLS cert checks * PR comment * Checkstyle, PR comment
This PR adds an extension point,
TLSCertificateChecker
, for custom TLS certificate checking (both client and server side).The hook provided allows an extension to replace the default X509ExtendedTrustManager's
checkClientTrusted
andcheckServerTrusted
methods (the default trust manager is provided as a parameter, so the standard checks can still be used by an extension if desired).This PR also adds an option to the simple-client-sslcontext extension to disable the standard hostname validation check.