Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-27673 Fix mTLS client hostname verification (#5066) 

Signed-off-by: Peter Somogyi <psomogyi@apache.org>
Signed-off-by: Bryan Beaudreault <bbeaudreault@apache.org>
This commit is contained in:
Balazs Meszaros 2023-03-01 12:20:06 +01:00 committed by GitHub
parent 7fef94a6cd
commit 9a23d4a3b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
View File

@ -19,10 +19,12 @@ package org.apache.hadoop.hbase.ipc;
import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_ENABLED;
import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT;
import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicReference;
@ -63,6 +65,7 @@ import org.apache.hbase.thirdparty.io.netty.channel.group.DefaultChannelGroup;
import org.apache.hbase.thirdparty.io.netty.handler.codec.FixedLengthFrameDecoder;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.OptionalSslHandler;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler;
import org.apache.hbase.thirdparty.io.netty.util.concurrent.GlobalEventExecutor;
/**
@ -267,7 +270,31 @@ public class NettyRpcServer extends RpcServer {
p.addLast("ssl", new OptionalSslHandler(nettySslContext));
LOG.debug("Dual mode SSL handler added for channel: {}", p.channel());
} else {
p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc()));
SocketAddress remoteAddress = p.channel().remoteAddress();
SslHandler sslHandler;
if (remoteAddress instanceof InetSocketAddress) {
InetSocketAddress remoteInetAddress = (InetSocketAddress) remoteAddress;
String host;
if (conf.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true)) {
host = remoteInetAddress.getHostName();
} else {
host = remoteInetAddress.getHostString();
}
int port = remoteInetAddress.getPort();
/*
* our HostnameVerifier gets the host name from SSLEngine, so we have to construct the
* engine properly by passing the remote address
*/
sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port);
} else {
sslHandler = nettySslContext.newHandler(p.channel().alloc());
}
p.addLast("ssl", sslHandler);
LOG.debug("SSL handler added for channel: {}", p.channel());
}
}