Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Flume >> mail # user >> Adding SSL peer cert info to AvroSource


Copy link to this message
-
Re: Adding SSL peer cert info to AvroSource
I am not an expert in the JSSE API, so without specifics regarding APIs you
are trying to use I don't think I can be of much help. From browsing around
a little bit, it looks like we can simply have the server specify the CA
certs that it respects and the client will attempt to use one of the certs
in its store that is signed by one of them. Maybe this StackOverflow thread
will help?
http://stackoverflow.com/questions/3712366/choosing-ssl-client-certificate-in-java

Also the JSSE reference guide:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
And of course, the Flume Avro Source (check the Netty pipeline factory
part):
https://github.com/apache/flume/blob/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java#L452

The logic you are describing regarding a fallback CA sounds somewhat
complicated. I'd bet you can make those requirements fit into how the JSSE
API was designed and have it require only one SSL handshake sequence by
having the server specify multiple acceptable CAs to the client.
On Thu, Jan 30, 2014 at 12:29 AM, Pritchard, Charles X. -ND <
[EMAIL PROTECTED]> wrote:

> I need to put the CN on the cert into a variable; it's essentially an
> authenticated string the server knows to be valid (since it has been
> signed).
> I'd like to route messages to a directory based on the string or otherwise
> send them to a fallback directory on a failed cert.
>
>
>
> ________________________________________
> From: Mike Percy [[EMAIL PROTECTED]]
> Sent: Wednesday, January 29, 2014 6:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Adding SSL peer cert info to AvroSource
>
> If it's using a signed cert then what do you need to put into the filter?
> You mean a list of allowed peers? If so then you could either try to
> piggyback on the IpFilter and make it accept hostnames, or yes add another
> filter config option such as hostFilter.
>
> Mike
>
>
> On Wed, Jan 29, 2014 at 12:23 PM, Pritchard, Charles X. -ND <
> [EMAIL PROTECTED]<mailto:
> [EMAIL PROTECTED]>> wrote:
> I’m trying to add in the feature to expose the client’s peer cert into
> AvroSource:
>
> https://apache.googlesource.com/flume/+/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
>
> Per the bug request I filed in October:
> https://issues.apache.org/jira/browse/FLUME-2204
>
> Any ideas on how I might expose the data — it’s just a string for the CN
> from the peer cert.
> I’m having a difficult time figuring out how to expose this connection
> state information so that Flume’s configuration magic can take hold from
> there.
>
> It seems a little like I need to create yet-another-filter, kind of like
> IpFilter.
>
>
> Any pointers?
>
>
> The CN info may be used to route to a particular directory (in an HDFS
> sink) and/or set a header for the AvroEvent, or possibly just validate a
> header (header.CN == ssl peer CN   or FAIL).
>
> -Charles
>
>