[
https://issues.apache.org/jira/browse/GEODE-9991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17528322#comment-17528322
]
Jacob Barrett commented on GEODE-9991:
--------------------------------------
h1. Geode Upgrade Methods for 1.15.0
h1. Preface
Migration steps are only required if ssl-endpoint-identification-enabled=true.
All other upgrades are allowed without migration steps. Migration is required
due to a bug introduced that causes Geode to ignore the configured
ssl-protocols and fall back to the JVM defaults, which can result in the client
side being configured with SSLv2Hello and the server to deny it. With this
mismatch in protocol configuration the member can fail to establish P2P
connections to other members of the cluster. Two new properties are introduced
in this version to configure the server and client side of the P2P connections
separately, ssl-server-protocols and ssl-client-protocols respectively.
h1. Upgrading Geode
You can upgrade Geode to 1.15.0, with or without upgrading the JVM, under these
conditions.
h2. From 1.14.0-1.14.4, 1.13.0-1.13.8, 1.12.1-1.12.9
If ssl-protocols is explicitly set but does not include SSLv2Hello, for example
“TLSv1.2,TLSv1.1”, then goto [Upgrade With New
Properties|https://docs.google.com/document/d/1YKDRYlZV8vfGyJCS2WlLhUAegUngxHV03HsIyhNLwvg/edit#heading=h.modyy795d4pz].
If ssl-protocols explicitly includes SSLv2Hello, for example
“TLSv1.2,SSLv2Hello”, then goto [Upgrade Without
Migration|https://docs.google.com/document/d/1YKDRYlZV8vfGyJCS2WlLhUAegUngxHV03HsIyhNLwvg/edit#heading=h.5b7id4y6hflk].
If ssl-protocols is unset or set to “any”, then goto [Upgrade Without
Migration|https://docs.google.com/document/d/1YKDRYlZV8vfGyJCS2WlLhUAegUngxHV03HsIyhNLwvg/edit#heading=h.5b7id4y6hflk].
h2. From 1.12.0, 1.11.0, 1.10.0, 1.9.2, 1.8.0
No special considerations required, goto [Upgrade Without
Migration|https://docs.google.com/document/d/1YKDRYlZV8vfGyJCS2WlLhUAegUngxHV03HsIyhNLwvg/edit#heading=h.5b7id4y6hflk].
h2. From Other Versions
These are untested and should not be attempted in production.
h1. Upgrading JVM Only
If you are upgrading the JVM only, from a Java 1.8 version prior to TLS 1.3
support you may also need to upgrade Geode. TLS 1.3 was backported to different
versions of Java 1.8 by various vendors. OpenJDK backport version is 1.8.0_271.
Oracle JDK backport version is 1.8.0_261. For other vendors please refer to
their documentation.
h2. From 1.14.0-1.14.4, 1.13.0-1.13.8, 1.12.1-1.12.9
You cannot upgrade the JVM without upgrading Geode to 1.15.0. This can be done
in a single restart. Goto [Upgrade With New
Properties|https://docs.google.com/document/d/1YKDRYlZV8vfGyJCS2WlLhUAegUngxHV03HsIyhNLwvg/edit#heading=h.modyy795d4pz].
h2. For 1.12.0, 1.12.0, 1.11.0, 1.10.0, 1.9.2, 1.8.0
No special considerations required, goto [Upgrade Without
Migration|https://docs.google.com/document/d/1YKDRYlZV8vfGyJCS2WlLhUAegUngxHV03HsIyhNLwvg/edit#heading=h.5b7id4y6hflk].
h1. Upgrade Without Migration
You have nothing to fear, go ahead and upgrade like normal.
h1. Upgrade With New Properties
Use the new ssl-client-protocols and ssl-server-protocols properties to
configure the client and server side of the SSL connection independently. You
will need to add SSLv2Hello to the ssl-server-protocols to account for the
misconfiguration of the older members in the cluster.
# Shutdown member.
# Install new Geode.
# Optionally install new Java JDK.
# Eliminate security property ssl-protocols from the server’s configuration.
# Add security property ssl-client-protocols with the explicit value(s)
previously defined in ssl-protocols. For example, if ssl-protocols=TLSv1.2 then
ssl-client-protocols=TLSv1.2.
# Add security property ssl-server-protocols with the explicit value(s)
previously defined in ssl-protocols plus “SSLv2Hello”. For example, if
ssl-protocols=TLSv1.2 then ssl-server-protocols=TLSv1.2,SSLv2Hello.
# Start member.
# Verify successful cluster join.
# Repeat from step 1 for the next member.
Optionally, after the migration is complete you may restore your original
ssl-protocols property and restart all your members to eliminate the SSLv2Hello
protocol support from the server side sockets.
> SSL protocol and cipher preferences are ignored when endpoint verification is
> enabled.
> --------------------------------------------------------------------------------------
>
> Key: GEODE-9991
> URL: https://issues.apache.org/jira/browse/GEODE-9991
> Project: Geode
> Issue Type: Bug
> Components: core, security
> Affects Versions: 1.12.8, 1.12.9, 1.13.7, 1.13.8, 1.14.3, 1.14.4, 1.15.0
> Reporter: Jacob Barrett
> Assignee: Jacob Barrett
> Priority: Major
> Labels: blocks-1.15.0, pull-request-available, ssl
> Fix For: 1.15.0
>
>
> When SSL endpoint verification is enabled the configuration for protocols and
> ciphers reverts to the {{SSLContext}}'s client mode defaults. This can result
> in difficulty upgrade the JDK when the newer JDK may use different defaults
> for client and server mode SSL.
> Oracle JDK 1.8.0_u261 and OpenJDK 1.8.0_u272 replaced the SSL implementation
> with a back port from Java 11. This changed the default server protocols from
> {{[SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2]}} to {{[TLSv1.3,TLSv1.2,SSLv2Hello]}}
> and client to {{[TLSv1.3,TLSv1.2]}}. With this bug the the server protocols
> get reset to the client protocols dropping support for the {{SSLv2Hello}}
> protocol, which is the first priority protocol by default in the old JDK.
> The result is a failure to handshake with the following exception:
> {{javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled}}
> To reproduce you need to have endpoint validation enabled on your SSL
> configuration. Set your protocols to `any`. Start 1st locator with JDK older
> than 1.8.0_u261. Start 2nd locator with JDK at least as new as JDK
> 1.8.0_u272.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
