[
https://issues.apache.org/jira/browse/IMPALA-14452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18028589#comment-18028589
]
Csaba Ringhofer commented on IMPALA-14452:
------------------------------------------
Based on https://docs.python.org/3/library/ssl.html ssl.match_hostname is no
longer needed:
https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.do_handshake
>Changed in version 3.4: The handshake method also performs match_hostname()
>when the check_hostname attribute of the socket’s context is true.
>Changed in version 3.7: Hostname or IP address is matched by OpenSSL during
>handshake. The function match_hostname() is no longer used. In case >OpenSSL
>refuses a hostname or IP address, the handshake is aborted early and a TLS
>alert message is sent to the peer.
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
>The PROTOCOL_TLS_CLIENT protocol enables hostname checking by default. With
>other protocols, hostname checking must be enabled explicitly.
My understanding is that the correct solution is to always create SSLContext
with PROTOCOL_TLS_CLIENT which will automatically do host name matching.
One potentially side effect is that this may turn on cert verification, which
is not done by default in impala-shell.
Thrift seems to do this from 0.22:
https://github.com/apache/thrift/commit/7ec41775f2f244741c7c1ef1236a96d71648c498
It replaces _match_hostname to always return true, but also sets
PROTOCOL_TLS_CLIENT as the protocol. Note that I am not convinced that the
patch works well with old Python + very old openssl where _has_ssl_context is
false - if this case is no longer supported, then I don't understand why didn't
they also remove _match_hostname from
https://github.com/apache/thrift/blob/master/lib/py/src/transport/sslcompat.py
If the Thrift solution is correct, then for impala IMO the ideal solution would
be to bump to Thrift 0.22.0 at least for Python. Then TSSLSocketWithWildcardSAN
could be removed.
> Impala shell with hs2-http + certificate does not work on Python 3.12
> ---------------------------------------------------------------------
>
> Key: IMPALA-14452
> URL: https://issues.apache.org/jira/browse/IMPALA-14452
> Project: IMPALA
> Issue Type: Bug
> Components: Clients
> Reporter: Csaba Ringhofer
> Assignee: Michael Smith
> Priority: Major
>
> {code}
> impala-shell --ssl --protocol=hs2-http
> --ca_cert=be/src/testutil/wildcardCA.pem
> Starting Impala Shell with no authentication using Python 3.12.9
> 2025-09-18 18:31:02 [Exception] Error connectingTypeError
> HTTPSConnection.__init__() got an unexpected keyword argument 'key_file'
> {code}
> The same issue came up in Thrift and in impyla:
> THRIFT-5847
> https://github.com/cloudera/impyla/issues/529
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
