[prev in list] [next in list] [prev in thread] [next in thread]
List: flume-user
Subject: Re: Adding SSL peer cert info to AvroSource
From: Mike Percy <mpercy () apache ! org>
Date: 2014-01-31 3:21:55
Message-ID: CAJLbxRZvuh+eEF=3ronLqjfBETYLdo7hkXbhcTky1PuCFO+ygQ () mail ! gmail ! com
[Download RAW message or body]
I am not an expert in the JSSE API, so without specifics regarding APIs you
are trying to use I don't think I can be of much help. From browsing around
a little bit, it looks like we can simply have the server specify the CA
certs that it respects and the client will attempt to use one of the certs
in its store that is signed by one of them. Maybe this StackOverflow thread
will help?
http://stackoverflow.com/questions/3712366/choosing-ssl-client-certificate-in-java
Also the JSSE reference guide:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
And of course, the Flume Avro Source (check the Netty pipeline factory
part):
https://github.com/apache/flume/blob/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java#L452
The logic you are describing regarding a fallback CA sounds somewhat
complicated. I'd bet you can make those requirements fit into how the JSSE
API was designed and have it require only one SSL handshake sequence by
having the server specify multiple acceptable CAs to the client.
On Thu, Jan 30, 2014 at 12:29 AM, Pritchard, Charles X. -ND <
Charles.X.Pritchard.-ND@disney.com> wrote:
> I need to put the CN on the cert into a variable; it's essentially an
> authenticated string the server knows to be valid (since it has been
> signed).
> I'd like to route messages to a directory based on the string or otherwise
> send them to a fallback directory on a failed cert.
>
>
>
> ________________________________________
> From: Mike Percy [mpercy@apache.org]
> Sent: Wednesday, January 29, 2014 6:44 PM
> To: user@flume.apache.org
> Subject: Re: Adding SSL peer cert info to AvroSource
>
> If it's using a signed cert then what do you need to put into the filter?
> You mean a list of allowed peers? If so then you could either try to
> piggyback on the IpFilter and make it accept hostnames, or yes add another
> filter config option such as hostFilter.
>
> Mike
>
>
> On Wed, Jan 29, 2014 at 12:23 PM, Pritchard, Charles X. -ND <
> Charles.X.Pritchard.-ND@disney.com<mailto:
> Charles.X.Pritchard.-ND@disney.com>> wrote:
> I'm trying to add in the feature to expose the client's peer cert into
> AvroSource:
>
> https://apache.googlesource.com/flume/+/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
>
> Per the bug request I filed in October:
> https://issues.apache.org/jira/browse/FLUME-2204
>
> Any ideas on how I might expose the data — it's just a string for the CN
> from the peer cert.
> I'm having a difficult time figuring out how to expose this connection
> state information so that Flume's configuration magic can take hold from
> there.
>
> It seems a little like I need to create yet-another-filter, kind of like
> IpFilter.
>
>
> Any pointers?
>
>
> The CN info may be used to route to a particular directory (in an HDFS
> sink) and/or set a header for the AvroEvent, or possibly just validate a
> header (header.CN == ssl peer CN or FAIL).
>
> -Charles
>
>
[Attachment #3 (text/html)]
<div dir="ltr">I am not an expert in the JSSE API, so without specifics regarding \
APIs you are trying to use I don't think I can be of much help. From browsing \
around a little bit, it looks like we can simply have the server specify the CA certs \
that it respects and the client will attempt to use one of the certs in its store \
that is signed by one of them. Maybe this StackOverflow thread will help? <a \
href="http://stackoverflow.com/questions/3712366/choosing-ssl-client-certificate-in-ja \
va">http://stackoverflow.com/questions/3712366/choosing-ssl-client-certificate-in-java</a><div>
<br></div><div>Also the JSSE reference guide: <a \
href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide \
.html">http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html</a></div>
<div>And of course, the Flume Avro Source (check the Netty pipeline factory part): \
<a href="https://github.com/apache/flume/blob/trunk/flume-ng-core/src/main/java/org/ap \
ache/flume/source/AvroSource.java#L452">https://github.com/apache/flume/blob/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java#L452</a></div>
<div><br></div><div>The logic you are describing regarding a fallback CA sounds \
somewhat complicated. I'd bet you can make those requirements fit into how the \
JSSE API was designed and have it require only one SSL handshake sequence by having \
the server specify multiple acceptable CAs to the client.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 30, 2014 \
at 12:29 AM, Pritchard, Charles X. -ND <span dir="ltr"><<a \
href="mailto:Charles.X.Pritchard.-ND@disney.com" \
target="_blank">Charles.X.Pritchard.-ND@disney.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">I need to put the CN on the cert into a variable; it's \
essentially an authenticated string the server knows to be valid (since it has been \
signed).<br>
I'd like to route messages to a directory based on the string or otherwise send \
them to a fallback directory on a failed cert.<br> <br>
<br>
<br>
________________________________________<br>
From: Mike Percy [<a href="mailto:mpercy@apache.org">mpercy@apache.org</a>]<br>
Sent: Wednesday, January 29, 2014 6:44 PM<br>
To: <a href="mailto:user@flume.apache.org">user@flume.apache.org</a><br>
Subject: Re: Adding SSL peer cert info to AvroSource<br>
<div class="im HOEnZb"><br>
If it's using a signed cert then what do you need to put into the filter? You \
mean a list of allowed peers? If so then you could either try to piggyback on the \
IpFilter and make it accept hostnames, or yes add another filter config option such \
as hostFilter.<br>
<br>
Mike<br>
<br>
<br>
</div><div class="HOEnZb"><div class="h5">On Wed, Jan 29, 2014 at 12:23 PM, \
Pritchard, Charles X. -ND <<a \
href="mailto:Charles.X.Pritchard.-ND@disney.com">Charles.X.Pritchard.-ND@disney.com</a><mailto:<a \
href="mailto:Charles.X.Pritchard.-ND@disney.com">Charles.X.Pritchard.-ND@disney.com</a>>> \
wrote:<br>
I'm trying to add in the feature to expose the client's peer cert into \
AvroSource:<br> <a href="https://apache.googlesource.com/flume/+/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java" \
target="_blank">https://apache.googlesource.com/flume/+/trunk/flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java</a><br>
<br>
Per the bug request I filed in October:<br>
<a href="https://issues.apache.org/jira/browse/FLUME-2204" \
target="_blank">https://issues.apache.org/jira/browse/FLUME-2204</a><br> <br>
Any ideas on how I might expose the data — it's just a string for the CN from the \
peer cert.<br> I'm having a difficult time figuring out how to expose this connection \
state information so that Flume's configuration magic can take hold from there.<br> \
<br> It seems a little like I need to create yet-another-filter, kind of like \
IpFilter.<br> <br>
<br>
Any pointers?<br>
<br>
<br>
The CN info may be used to route to a particular directory (in an HDFS sink) and/or \
set a header for the AvroEvent, or possibly just validate a<br> header (header.CN == \
ssl peer CN or FAIL).<br> <br>
-Charles<br>
<br>
</div></div></blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic