Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-10015

gfsh does not send hostname in SNI header

    XMLWordPrintableJSON

Details

    Description

      When gfsh tries to connect the JMX port on the locator it sends the IP address of the locator in the SNI header rather than the hostname. This results in a certificate validation failure when the IP is not found in the SAN entries. 

      Version 1.14.3 sends the correct hostname in the SNI. Something changed between 1.14.3 and now.

       

      Reproduction:

      gfsh -e version --full -e start locator --name=locator2 --bind-address=myhost.example.com --port=20005 --J=-Dgemfire.jmx-manager-port=20007 --security-properties-file=/path/to/security.properties --http-service-port=0 --locators=myhost.example.com[20004]

(1) Executing -  version --full
...
Product-Version: 1.16.0-build.0
...
(2) Executing -  start locator --name=locator2 --bind-address=myhost.example.com --port=20005 --J=-Dgemfire.jmx-manager-port=20007 --security-properties-file=******** --http-service-port=0 --locators=myhost.example.com[20004]
...
[fatal 2022/02/02 19:47:27.050 PST  <main> tid=0x1] Problem forming SSL connection to /192.168.68.56[20007].
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.68.56 found
...
Locator in /path/to/locator2 on myhost.example.com[20005] as locator2 is currently online.
...
Unable to auto-connect (Security Manager may be enabled). Please use "connect --locator=myhost.example.com[20005]" to connect Gfsh to the locator.
SSL configuration required to connect to the Manager.
Failed to connect; unknown cause: error during JRMP connection establishment; nested exception is: 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      Where /path/to/security.properties contains:

      ssl-require-authentication=true
ssl-keystore=/path/to/keystore.jks
ssl-truststore-type=jks
ssl-keystore-password=password
ssl-truststore=/path/to/truststore.jks
ssl-enabled-components=all
ssl-truststore-password=password
ssl-protocols=any
ssl-endpoint-identification-enabled=true
ssl-keystore-type=jks

      The certificate used in the key store is singed by a fake CA and contains only the hostname, myhost.example.com. The trust store contains the fake CA.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. GEODE-9991 SSL protocol and cipher preferences are ignored when endpoint verification is enabled.

          • Major - Major loss of function.
          • Closed
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. GEODE-9139 SSLException in starting up a Locator

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #7337

          Web Link GitHub Pull Request #7350

          Activity

            People

              jbarrett Jacob Barrett
              jbarrett Jacob Barrett
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: