Allow custom TLS cert checks #6432
Conversation
jon-wei
force-pushed
the
custom_tls_check
branch
from
be8dd4e
to
f67b64d
Compare
| @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD}) | ||
| @Retention(RetentionPolicy.RUNTIME) | ||
| @BindingAnnotation | ||
| public @interface Server |
There was a problem hiding this comment.
This doesn't seem to be used
There was a problem hiding this comment.
Thanks, removed the unused annotation
| customCertCheckRouterUrl = props.get("router_no_client_auth_url"); | ||
| if (customCertCheckRouterUrl == null) { | ||
| String customCertCheckRouterHost = props.get("router_no_client_auth_host"); | ||
| if (null != customCertCheckRouterHost) { |
There was a problem hiding this comment.
nit: i find this kind of jarring since outer is var == null and then inside it's flipped to null != var, but I don't think it's a big deal
There was a problem hiding this comment.
hm, it follows the convention for the other nodes in that file, i'll leave this unchanged in this PR
|
TeamCity failures seem unrelated |
jon-wei
force-pushed
the
custom_tls_check
branch
from
d0521d5
to
e4515cd
Compare
|
fixed conflicts |
| customCertCheckRouterUrl = props.get("router_no_client_auth_url"); | ||
| if (customCertCheckRouterUrl == null) { | ||
| String customCertCheckRouterHost = props.get("router_no_client_auth_host"); | ||
| if (null != customCertCheckRouterHost) { |
| TrustManager[] newTrustManagers = new TrustManager[trustManagers.length]; | ||
|
|
||
| for (int i = 0; i < trustManagers.length; i++) { | ||
| if (trustManagers[i] instanceof X509ExtendedTrustManager) { |
There was a problem hiding this comment.
Would it be harmful to just leave non X509ExtendedTrustManager implementations in this list with an else that doesn't wrap them in the CustomCheckX509TrustManager and just adds them to newTrustManagers as is?
There was a problem hiding this comment.
Changed this to preserve non-X509ExtendedTrustManager objects and log their presence
|
|
||
| |Property|Description|Default|Required| | ||
| |--------|-----------|-------|--------| | ||
| |`druid.tls.certificateChecker`|Type name of custom TLS certificate checker, provided by extensions.|"default"|no| |
There was a problem hiding this comment.
Is this supposed to be the canonical class name of the custom checker? I think it would be better to clarify it.
There was a problem hiding this comment.
Added some clarification here
jon-wei
force-pushed
the
custom_tls_check
branch
from
0efb910
to
3f09821
Compare
* Allow custom TLS cert checks * PR comment * Checkstyle, PR comment
* Allow custom TLS cert checks * PR comment * Checkstyle, PR comment
This PR adds an extension point,
TLSCertificateChecker, for custom TLS certificate checking (both client and server side).The hook provided allows an extension to replace the default X509ExtendedTrustManager's
checkClientTrustedandcheckServerTrustedmethods (the default trust manager is provided as a parameter, so the standard checks can still be used by an extension if desired).This PR also adds an option to the simple-client-sslcontext extension to disable the standard hostname validation check.