Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.5.3
-
None
-
In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext.
In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext.
-
ssl proxy
Description
In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext.
In the method initSSL of class ZKClientPipelineFactory, it initialize the SSLEngine like below:
sslEngine = sslContext.createSSLEngine();
Actually the sslContext provide another factory method that receives the hostName and port parameter.
public final SSLEngine createSSLEngine(String hostName, int port)
If we call this method to create the SSLEngine, then the proxy will know which zk cluster it really want to access.
Attachments
Issue Links
- links to
