[
https://issues.apache.org/jira/browse/GEODE-9991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501472#comment-17501472
]
ASF subversion and git services commented on GEODE-9991:
--------------------------------------------------------
Commit 3b8f4401bf117f811f455b8723803edfe61b71fe in geode's branch
refs/heads/develop from Jacob Barrett
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=3b8f440 ]
GEODE-9991: Configure SSLParameters directly. (#7315)
Rather than set some options on the `SSLEngine`, which indirectly configures
`SSLParameters`, we now set the `SSLParameters` directly prior to assigning the
`SSLParameters` to the `SSLEngine`. We do this to avoid the issue of some
options getting reset when the `SSLParameters` is set on the `SSLEngine`.
As a result of the issue being corrected and the incompatibility it will have
with upgrades new properties were introduced to control the client and sever
side of SSL configuration separately. This is necessary so that the server side
can support negotiating older protocols, specifically `SSLv2Hello`, while the
client only enables newer protocols to facilitate the upgrade. Upgrades are
tested between Java 1.8 version before and after the back port of Java 11's
TLSv1.3 support on releases as far back as Geode 1.8.0.
* Adds ssl-client-protocols to configure client side of socket.
* Adds ssl-server-protocols to configure server side of socket.
* Adds new unit and integration tests for configuring these new properties.
* Adds framework for rolling JVM version upgrades.
* Adds upgrade test for both JVM and product upgrade scenarios.
* Converts some tests to JNunit 5.
> SSL protocol and cipher preferences are ignored when endpoint verification is
> enabled.
> --------------------------------------------------------------------------------------
>
> Key: GEODE-9991
> URL: https://issues.apache.org/jira/browse/GEODE-9991
> Project: Geode
> Issue Type: Bug
> Components: core, security
> Affects Versions: 1.12.8, 1.12.9, 1.13.7, 1.13.8, 1.14.3, 1.14.4, 1.15.0,
> 1.16.0
> Reporter: Jacob Barrett
> Assignee: Jacob Barrett
> Priority: Major
> Labels: blocks-1.15.0, pull-request-available
>
> When SSL endpoint verification is enabled the configuration for protocols and
> ciphers reverts to the {{SSLContext}}'s client mode defaults. This can result
> in difficulty upgrade the JDK when the newer JDK may use different defaults
> for client and server mode SSL.
> Oracle JDK 1.8.0_u261 and OpenJDK 1.8.0_u272 replaced the SSL implementation
> with a back port from Java 11. This changed the default server protocols from
> {{[SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2]}} to {{[TLSv1.3,TLSv1.2,SSLv2Hello]}}
> and client to {{[TLSv1.3,TLSv1.2]}}. With this bug the the server protocols
> get reset to the client protocols dropping support for the {{SSLv2Hello}}
> protocol, which is the first priority protocol by default in the old JDK.
> The result is a failure to handshake with the following exception:
> {{javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled}}
> To reproduce you need to have endpoint validation enabled on your SSL
> configuration. Set your protocols to `any`. Start 1st locator with JDK older
> than 1.8.0_u261. Start 2nd locator with JDK at least as new as JDK
> 1.8.0_u272.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
