Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-9878

Disable Server Name Indication (SNI) for Jetty

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      In a cluster I noticed error messages that indicates a potential issue related to SNI, similar to what's described in HADOOP-16718.

       

      Server Name Indication (SNI) was added as an extension to the TLS protocol that lets clients request a public certificate for a specific host name is returned.

      This feature was added primarily for virtual hosting scenarios where a client may connect to the same IP to connect to one of many virtual hosted servers.

      Currently, our servers have no use for this feature as we do not support such a virtual hosting scenario.

      If the server's JKS file has a private/public key/cert pairing that is valid but it also has another trustedCertEntry certificate that has the hostname in subjectAltName extension, the trusted cert gets picked.

       

      It sounds like we can port the fix in HADOOP-16718 into Ozone.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-16718 Allow disabling Server Name Indication (SNI) for Jetty

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              weichiu Wei-Chiu Chuang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: