Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2949

SSL ServerName not set when using hostname, some proxies may failed to proxy the request.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.5.3
    • 3.5.4, 3.6.0
    • java client
    • None
    • ssl proxy

    Description

      In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext.

      In the method initSSL of class ZKClientPipelineFactory, it initialize the SSLEngine like below:

      sslEngine = sslContext.createSSLEngine();

      Actually the sslContext provide another factory method that receives the hostName and port parameter.

      public final SSLEngine createSSLEngine(String hostName, int port)

      If we call this method to create the SSLEngine, then the proxy will know which zk cluster it really want to access.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              abel Feng Shaobao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 12h
                  12h
                  Remaining:
                  Remaining Estimate - 12h
                  12h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified