-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix][client] Fixed an issue where a cert chain could not be used in TLS authentication #23644
Conversation
@equanz Do we need tests for validating the behavior? |
adc5eab
to
3492aab
Compare
@lhotari I have added a simple unit tests to check if KeyManagerProxy can load a cert chain. |
3492aab
to
8a8a373
Compare
pulsar-common/src/test/java/org/apache/pulsar/common/util/KeyManagerProxyTest.java
Show resolved
Hide resolved
8a8a373
to
7591041
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #23644 +/- ##
============================================
+ Coverage 73.57% 74.34% +0.77%
- Complexity 32624 35003 +2379
============================================
Files 1877 1944 +67
Lines 139502 147201 +7699
Branches 15299 16240 +941
============================================
+ Hits 102638 109439 +6801
- Misses 28908 29307 +399
- Partials 7956 8455 +499
Flags with carried forward coverage won't be shown. Click here to find out more.
|
…TLS authentication (apache#23644) (cherry picked from commit e236d61) (cherry picked from commit e0e1956)
…TLS authentication (apache#23644) (cherry picked from commit e236d61) (cherry picked from commit e0e1956)
Motivation
From v2.8.0( #8831 ) , SecurityUtility#createAutoRefreshSslContextForClient was introduced. This method loads a single certification rather than a certification chain from cert file.
Therefore, the PulsarAdmin does not send cert chain in TLS authentication.
(From v4.0.0 ( #23110 ), this issue was fixed because the PulsarAdmin does not use this method by default.)
Modifications
Verifying this change
This change added tests and can be verified as follows:
Does this pull request potentially affect one of the following parts:
If the box was checked, please highlight the changes
Documentation
doc
doc-required
doc-not-needed
doc-complete
Matching PR in forked repository
PR in forked repository: equanz#11