Jacob Barrett created GEODE-9991:
------------------------------------
Summary: SSL protocol and cipher preferences are ignored when
endpoint verification is enabled.
Key: GEODE-9991
URL: https://issues.apache.org/jira/browse/GEODE-9991
Project: Geode
Issue Type: Bug
Components: core, security
Affects Versions: 1.14.3, 1.13.7, 1.15.0
Reporter: Jacob Barrett
When SSL endpoint verification is enabled the configuration for protocols and
ciphers reverts to the {{SSLContext}}'s client mode defaults. This can result
in difficulty upgrade the JDK when the newer JDK may use different defaults for
client and server mode SSL.
Oracle JDK 1.8.0_u261 and OpenJDK 1.8.0_u272 replaced the SSL implementation
with a back port from Java 11. This changed the default server protocols from
{{[SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2]}} to {{[TLSv1.3,TLSv1.2,SSLv2Hello]}}
and client to {{[TLSv1.3,TLSv1.2]}}. With this bug the the server protocols get
reset to the client protocols dropping support for the {{SSLv2Hello}} protocol,
which is the first priority protocol by default in the old JDK.
The result is a failure to handshake with the following exception:
{{javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled}}
To reproduce you need to have endpoint validation enabled on your SSL
configuration. Set your protocols to `any`. Start 1st locator with JDK older
than 1.8.0_u261. Start 2nd locator with JDK at least as new as JDK 1.8.0_u272.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
