[jira] [Commented] (GEODE-8144) endpoint identification in servers is not working

Bruce J Schuchardt (Jira) Mon, 18 May 2020 11:54:44 -0700


    [ 
https://issues.apache.org/jira/browse/GEODE-8144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17110531#comment-17110531
 ]


Bruce J Schuchardt commented on GEODE-8144:
-------------------------------------------

I've tested this with 1.7, 1.8, 1.9 and 1.10 as well as on develop and 
apparently this has never worked in servers.  There are unit tests for endpoint 
identification but they don't exercise the code paths taken in the TLS 
implementation when the server socket is on a different host than the client 
socket.

We need to set the "sni servername" in the client's SSLParameters in order to 
tell the SSLEngine's hostname verification algorithm the name of the server to 
which we intend to connect.

Bill found this relevant page on an IBM website:
[ssl 
parameters|https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/sslparameters.html]

> endpoint identification in servers is not working
> -------------------------------------------------
>
>                 Key: GEODE-8144
>                 URL: https://issues.apache.org/jira/browse/GEODE-8144
>             Project: Geode
>          Issue Type: Bug
>          Components: membership, messaging
>            Reporter: Bruce J Schuchardt
>            Priority: Major
>
> If you enable endpoint identification in a server the server will not start.  
> It will log exceptions like this:
>  
> {noformat}
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>       at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1566)
>       at 
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:545)
>       at 
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1217)
>       at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1185)
>       at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:471)
>       at 
> org.apache.geode.internal.net.NioSslEngine.handshake(NioSslEngine.java:158)
>       at 
> org.apache.geode.internal.net.SocketCreator.handshakeSSLSocketChannel(SocketCreator.java:597)
>       at 
> org.apache.geode.internal.tcp.Connection.createIoFilter(Connection.java:1731)
>       at org.apache.geode.internal.tcp.Connection.<init>(Connection.java:1167)
>       at 
> org.apache.geode.internal.tcp.Connection.createSender(Connection.java:1004)
>       at 
> org.apache.geode.internal.tcp.ConnectionTable.handleNewPendingConnection(ConnectionTable.java:288)
>       at 
> org.apache.geode.internal.tcp.ConnectionTable.getSharedConnection(ConnectionTable.java:392)
>       at 
> org.apache.geode.internal.tcp.ConnectionTable.get(ConnectionTable.java:571)
>       at 
> org.apache.geode.internal.tcp.TCPConduit.getConnection(TCPConduit.java:800)
>       at 
> org.apache.geode.distributed.internal.direct.DirectChannel.getConnections(DirectChannel.java:451)
>       at 
> org.apache.geode.distributed.internal.direct.DirectChannel.sendToMany(DirectChannel.java:268)
>       at 
> org.apache.geode.distributed.internal.direct.DirectChannel.sendToOne(DirectChannel.java:182)
>       at 
> org.apache.geode.distributed.internal.direct.DirectChannel.send(DirectChannel.java:510)
>       at 
> org.apache.geode.distributed.internal.DistributionImpl.directChannelSend(DistributionImpl.java:346)
>       at 
> org.apache.geode.distributed.internal.DistributionImpl.send(DistributionImpl.java:291)
>       at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.sendViaMembershipManager(ClusterDistributionManager.java:2058)
>       at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.sendOutgoing(ClusterDistributionManager.java:1986)
>       at 
> org.apache.geode.distributed.internal.StartupOperation.sendStartupMessage(StartupOperation.java:74)
>       at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.sendStartupMessage(ClusterDistributionManager.java:1623)
>       at 
> org.apache.geode.distributed.internal.ClusterDistributionManager.create(ClusterDistributionManager.java:361)
>       at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.initialize(InternalDistributedSystem.java:779)
>       at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.access$200(InternalDistributedSystem.java:135)
>       at 
> org.apache.geode.distributed.internal.InternalDistributedSystem$Builder.build(InternalDistributedSystem.java:3033)
>       at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:290)
>       at 
> org.apache.geode.distributed.internal.InternalDistributedSystem.connectInternal(InternalDistributedSystem.java:216)
>       at 
> org.apache.geode.distributed.DistributedSystem.connect(DistributedSystem.java:159)
>       at src.EntryConsumer.initialize(EntryConsumer.java:69)
>       at src.EntryConsumer.main(EntryConsumer.java:340)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>       at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
>       at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1729)
>       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:333)
>       at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
>       at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
>       at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
>       at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
>       at sun.security.ssl.Handshaker$1.run(Handshaker.java:1015)
>       at sun.security.ssl.Handshaker$1.run(Handshaker.java:1012)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1504)
>       at 
> org.apache.geode.internal.net.NioSslEngine.handleBlockingTasks(NioSslEngine.java:225)
>       at 
> org.apache.geode.internal.net.NioSslEngine.handshake(NioSslEngine.java:185)
>       ... 27 more
> Caused by: java.security.cert.CertificateException: No subject alternative 
> names matching IP address 10.118.26.62 found
>       at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
>       at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
>       at 
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
>       at 
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:442)
>       at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:261)
>       at 
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
>       at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1675)
>       ... 35 more
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (GEODE-8144) endpoint identification in servers is not working

Reply via email to