ZOOKEEPER-3905: Race condition causes sessions to be created for clients even though their certificate authentication has failed (3.6) #1427
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nts even though their certificate authentication has failed Netty channel doesn't get closed if authentication fails after a successful SSL handshake. We need a custom authentication provider in order to trigger this, because the default implementation does the same check as for the SSL handshake. Hence it never fails. Unit test added to make sure client is not able to connect. Target branches: master, 3.6, 3.5 (will create separate PR for 3.5) Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1422 from anmolnar/ZOOKEEPER-3905
anmolnar
force-pushed
the
ZOOKEEPER-3905_36
branch
from
4fbbb56
to
43ec688
Compare
|
@eolivelli @symat PTAL. |
symat
approved these changes
Aug 10, 2020
eolivelli
approved these changes
Aug 10, 2020
|
Wrong importorder: |
nkalmar
reviewed
Aug 11, 2020
| @@ -22,7 +22,9 @@ | |||
|
|
|||
| package org.apache.zookeeper.test; | |||
|
|
|||
| import java.io.IOException; | |||
| import static org.junit.Assert.assertTrue; | |||
There was a problem hiding this comment.
checkstyle don't like the order for this... yikes.
I guess Assert.fail should be before? Not sure why.
There was a problem hiding this comment.
oh, nevermind, static imports should be first, that's the problem.
|
Thanks @nkalmar . Just fixed it. |
|
@eolivelli all good now. |
|
@eolivelli @symat @nkalmar Please merge. |
|
I'm merging it |
asfgit
pushed a commit
that referenced
this pull request
Aug 12, 2020
…nts even though their certificate authentication has failed (3.6) Backport to branch-3.6 Netty channel doesn't get closed if authentication fails after a successful SSL handshake. We need a custom authentication provider in order to trigger this, because the default implementation does the same check as for the SSL handshake. Hence it never fails. Unit test added to make sure client is not able to connect. Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org>, Norbert Kalmar <nkalmar@apache.org> Closes #1427 from anmolnar/ZOOKEEPER-3905_36
asfgit
pushed a commit
that referenced
this pull request
Aug 12, 2020
…nts even though their certificate authentication has failed (3.5) Backport to branch-3.5 Netty channel doesn't get closed if authentication fails after a successful SSL handshake. We need a custom authentication provider in order to trigger this, because the default implementation does the same check as for the SSL handshake. Hence it never fails. Unit test added to make sure client is not able to connect. Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org>, Norbert Kalmar <nkalmar@apache.org> Closes #1427 from anmolnar/ZOOKEEPER-3905_36 (cherry picked from commit 8bcaf7b) Signed-off-by: Mate Szalay-Beko <symat@apache.org>
|
Thanks @anmolnar! |
|
Great, thanks @symat ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport to branch-3.6
Netty channel doesn't get closed if authentication fails after a successful SSL handshake. We need a custom authentication provider in order to trigger this, because the default implementation does the same check as for the SSL handshake. Hence it never fails.
Unit test added to make sure client is not able to connect.