ZOOKEEPER-3832 ZKHostnameVerifier rejects valid certificates with subjectAltNames #1353
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
symat
approved these changes
May 19, 2020
| if (o instanceof String) { | ||
| result.add(new SubjectName((String) o, type)); | ||
| } else if (o instanceof byte[]) { | ||
| // TODO ASN.1 DER encoded form |
There was a problem hiding this comment.
I am not sure what ASN.1 DER is or how commonly it is used, but I think at least printing out a warning here would make sense (informing the user that ASN.1 DER is not supported). (?)
There was a problem hiding this comment.
I believe it can be done with BouncyCastle ASN1 libraries, but this part was missing in the original patch too. I'd be happy to add it as a separate ticket, but first I need an example certificate with ASN1 encoded data.
There was a problem hiding this comment.
I agree with Mate here, probably adding a warning until this TODO is not implemented would be nice.
There was a problem hiding this comment.
This is a static method. How can I log here?
There was a problem hiding this comment.
Didn't see it's a static method. But I believe you can log by making the logger also static. Not sure it is worth it though, it's not a stopper from my side if we leave the TODO, just a nice-to-have.
zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKHostnameVerifierTest.java
Show resolved
Hide resolved
eolivelli
requested changes
May 19, 2020
zookeeper-server/src/test/java/org/apache/zookeeper/common/CertificatesToPlayWith.java
Show resolved
Hide resolved
|
retest maven build |
2 similar comments
|
retest maven build |
|
retest maven build |
|
@eolivelli @nkalmar @symat Maven build is green now. Would you like me to add some logging before submitting? |
|
I think you can push it as it is. Nice change! |
symat
approved these changes
May 21, 2020
|
Merging it now |
eolivelli
pushed a commit
that referenced
this pull request
May 21, 2020
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1353 from anmolnar/ZOOKEEPER-3832 (cherry picked from commit 5820d10) Signed-off-by: Enrico Olivelli <eolivelli@apache.org>
|
Thanks @eolivelli |
|
I have written in JIRA. |
|
I'll create separate PR. |
anmolnar
added a commit
to anmolnar/zookeeper
that referenced
this pull request
May 21, 2020
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832
|
NVM, it's already committed :) |
stickyhipp
pushed a commit
to stickyhipp/zookeeper
that referenced
this pull request
Aug 19, 2020
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Aug 31, 2022
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Aug 31, 2022
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Aug 31, 2022
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Sep 3, 2022
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832
anmolnar
added a commit
to anmolnar/zookeeper
that referenced
this pull request
May 21, 2024
…bjectAltNames This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP. I've come across the following ticket in http client project which seems to be related: https://issues.apache.org/jira/browse/HTTPCLIENT-1906 This is the backport of the fix. Original patch: apache/httpcomponents-client@56cc245 Target versions: 3.5, 3.6, 3.7 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1353 from anmolnar/ZOOKEEPER-3832 Change-Id: I5d3c0d66010942a252cb9f5cd08fa50eadd5925f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP.
I've come across the following ticket in http client project which seems to be related:
https://issues.apache.org/jira/browse/HTTPCLIENT-1906
This is the backport of the fix.
Original patch: apache/httpcomponents-client@56cc245
Target versions: 3.5, 3.6, 3.7