Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-10015

gfsh does not send hostname in SNI header

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      When gfsh tries to connect the JMX port on the locator it sends the IP address of the locator in the SNI header rather than the hostname. This results in a certificate validation failure when the IP is not found in the SAN entries. 

      Version 1.14.3 sends the correct hostname in the SNI. Something changed between 1.14.3 and now.

       

      Reproduction:

      gfsh -e version --full -e start locator --name=locator2 --bind-address=myhost.example.com --port=20005 --J=-Dgemfire.jmx-manager-port=20007 --security-properties-file=/path/to/security.properties --http-service-port=0 --locators=myhost.example.com[20004]
      
      (1) Executing -  version --full
      ...
      Product-Version: 1.16.0-build.0
      ...
      (2) Executing -  start locator --name=locator2 --bind-address=myhost.example.com --port=20005 --J=-Dgemfire.jmx-manager-port=20007 --security-properties-file=******** --http-service-port=0 --locators=myhost.example.com[20004]
      ...
      [fatal 2022/02/02 19:47:27.050 PST  <main> tid=0x1] Problem forming SSL connection to /192.168.68.56[20007].
      javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.68.56 found
      ...
      Locator in /path/to/locator2 on myhost.example.com[20005] as locator2 is currently online.
      ...
      Unable to auto-connect (Security Manager may be enabled). Please use "connect --locator=myhost.example.com[20005]" to connect Gfsh to the locator.
      SSL configuration required to connect to the Manager.
      Failed to connect; unknown cause: error during JRMP connection establishment; nested exception is: 
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      

      Where /path/to/security.properties contains:

      ssl-require-authentication=true
      ssl-keystore=/path/to/keystore.jks
      ssl-truststore-type=jks
      ssl-keystore-password=password
      ssl-truststore=/path/to/truststore.jks
      ssl-enabled-components=all
      ssl-truststore-password=password
      ssl-protocols=any
      ssl-endpoint-identification-enabled=true
      ssl-keystore-type=jks
      

      The certificate used in the key store is singed by a fake CA and contains only the hostname, myhost.example.com. The trust store contains the fake CA.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jbarrett Jacob Barrett
            jbarrett Jacob Barrett
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment