Skip to content

GH-1232: don't drop TLS for endpoint locations in getStreams#1233

Open
Arawoof06 wants to merge 1 commit into
apache:mainfrom
Arawoof06:flight-jdbc-endpoint-tls-downgrade
Open

GH-1232: don't drop TLS for endpoint locations in getStreams#1233
Arawoof06 wants to merge 1 commit into
apache:mainfrom
Arawoof06:flight-jdbc-endpoint-tls-downgrade

Conversation

@Arawoof06

Copy link
Copy Markdown
Contributor

What's Changed

getStreams clones the connection builder for each advertised endpoint location, and that clone still carries username/password, token and the OAuth config, so whatever it connects to gets the credentials. Encryption for the clone came from the location scheme alone, meaning a grpc+tcp:// location advertised by the server turned TLS off even for a connection opened with useEncryption=true, and the handshake then went out in cleartext to the advertised host. Since the scheme is server-supplied and useEncryption is the user's stated intent, the scheme should not be able to override it downwards; a non-TLS location is now refused through the per-location exception path that is already there for unreachable locations, so the remaining locations are still tried.

Closes #1232.

@github-actions

Copy link
Copy Markdown

Thank you for opening a pull request!

Please label the PR with one or more of:

  • bug-fix
  • chore
  • dependencies
  • documentation
  • enhancement

Also, add the 'breaking-change' label if appropriate.

See CONTRIBUTING.md for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Java][FlightSQL][JDBC] Driver drops TLS for endpoint locations advertised by the server

1 participant