Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.11
-
None
-
None
-
Docs Required, Release Notes Required
Description
Motivation: There are cases then ignite clients are connecting to a cluster which is located inside Kubernetes(k8s) and k8s cluster has an ingress gateway that routes TLS traffic using SNI extension.
Need to provide hostnames from org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI extention.
SSLContext for java thin client is creating in org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly we can use org.apache.ignite.ssl.SSLContextWrapper there to provide additional SSLParameters(like it's done in org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI extension need to add hostnames via javax.net.ssl.SSLParameters#setServerNames.
Also need to check that other thin clients and thick clients add SNI to handshake.
Possibly in org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we need additionally to replace
from:
engine = this.sslCtx.createSSLEngine();
to:
engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(), ses.remoteAddress().getPort())
In this case, if an IP address is set to ClientConfiguration#setAddresses then SNI extension will be added with reverse lookup hostname. If hostname with a port is set to ClientConfiguration#setAddresses no SNI extension will be added.