This is an automated email from the ASF dual-hosted git repository. bschuchardt pushed a commit to branch feature/GEODE-8144 in repository https://gitbox.apache.org/repos/asf/geode.git
commit 88e7fd93b5052f7dbfb7e5ec7c3453a0d5825d32 Author: Bruce Schuchardt <[email protected]> AuthorDate: Tue May 19 07:57:29 2020 -0700 GEODE-8144: endpoint identification in servers is not working Set the SNI server-name field in SSL parameters for p2p communications, allowing endpoint identification to work properly. I modified one of the SNI haproxy tests to have keystores with the proper subject-alternative-names for p2p communications in the docker containers and for client/server off-platform communications. I used Sai's keystore/truststore construction CertificateMaterial/CertStores classes to generate the stores... .sanDnsName("geode") // for inside the docker container .sanDnsName("localhost") // for inside the docker container .sanIpAddress(InetAddress.getByName("0.0.0.0")) // for inside the docker container .sanDnsName(certName) // for client endpoint validation (locator-maeve for instance) --- .../geode/client/sni/DualServerSNIAcceptanceTest.java | 3 +-- .../org/apache/geode/client/sni/docker-compose.yml | 1 + .../client/sni/geode-config/gfsecurity.properties | 2 +- .../sni/geode-config/locator-maeve-keystore.jks | Bin 2048 -> 3525 bytes .../sni/geode-config/server-clementine-keystore.jks | Bin 2059 -> 3537 bytes .../sni/geode-config/server-dolores-keystore.jks | Bin 2050 -> 3528 bytes .../geode/client/sni/geode-config/truststore.jks | Bin 8095 -> 1126 bytes .../org/apache/geode/internal/net/SocketCreator.java | 16 +++++++++++++--- 8 files changed, 16 insertions(+), 6 deletions(-) diff --git a/geode-assembly/src/acceptanceTest/java/org/apache/geode/client/sni/DualServerSNIAcceptanceTest.java b/geode-assembly/src/acceptanceTest/java/org/apache/geode/client/sni/DualServerSNIAcceptanceTest.java index 640d92a..7b08be2 100644 --- a/geode-assembly/src/acceptanceTest/java/org/apache/geode/client/sni/DualServerSNIAcceptanceTest.java +++ b/geode-assembly/src/acceptanceTest/java/org/apache/geode/client/sni/DualServerSNIAcceptanceTest.java @@ -26,7 +26,6 @@ import static org.apache.geode.test.util.ResourceUtils.createTempFileFromResourc import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; -import java.io.IOException; import java.net.URL; import java.util.Properties; @@ -74,7 +73,7 @@ public class DualServerSNIAcceptanceTest { private ClientCache cache; @BeforeClass - public static void beforeClass() throws IOException, InterruptedException { + public static void beforeClass() throws Exception { docker.get().exec(options("-T"), "geode", arguments("gfsh", "run", "--file=/geode/scripts/geode-starter-2.gfsh")); diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/docker-compose.yml b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/docker-compose.yml index 8caa12f..dd52102 100644 --- a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/docker-compose.yml +++ b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/docker-compose.yml @@ -19,6 +19,7 @@ services: geode: container_name: 'geode' image: 'geode:develop' + hostname: geode expose: - '10334' - '40404' diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gfsecurity.properties b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gfsecurity.properties index 813d260..135f3e3 100644 --- a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gfsecurity.properties +++ b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/gfsecurity.properties @@ -23,5 +23,5 @@ ssl-truststore-password=geode ssl-require-authentication=false ssl-web-require-authentication=false ssl-enabled-components=all -ssl-endpoint-identification-enabled=false +ssl-endpoint-identification-enabled=true diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/locator-maeve-keystore.jks b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/locator-maeve-keystore.jks index a29cf0f..95caaec 100644 Binary files a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/locator-maeve-keystore.jks and b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/locator-maeve-keystore.jks differ diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-clementine-keystore.jks b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-clementine-keystore.jks index 380de6c..6716704 100644 Binary files a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-clementine-keystore.jks and b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-clementine-keystore.jks differ diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-dolores-keystore.jks b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-dolores-keystore.jks index cb2c4c5..f00aeac 100644 Binary files a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-dolores-keystore.jks and b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/server-dolores-keystore.jks differ diff --git a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/truststore.jks b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/truststore.jks index ffcdaf3..a7563df 100644 Binary files a/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/truststore.jks and b/geode-assembly/src/acceptanceTest/resources/org/apache/geode/client/sni/geode-config/truststore.jks differ diff --git a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java index 8fb2136..8bb8aef 100755 --- a/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java +++ b/geode-core/src/main/java/org/apache/geode/internal/net/SocketCreator.java @@ -544,7 +544,13 @@ public class SocketCreator extends TcpSocketCreatorImpl { * Returns an SSLEngine that can be used to perform TLS handshakes and communication */ public SSLEngine createSSLEngine(String hostName, int port) { - return getSslContext().createSSLEngine(hostName, port); + SSLEngine engine = getSslContext().createSSLEngine(hostName, port); + SSLParameters parameters = engine.getSSLParameters(); + // set server-names so that endpoint identification algorithms can find what's expected + if (setServerNames(parameters, new HostAndPort(hostName, port))) { + engine.setSSLParameters(parameters); + } + return engine; } /** @@ -770,7 +776,10 @@ public class SocketCreator extends TcpSocketCreatorImpl { } } - private void setServerNames(SSLParameters modifiedParams, HostAndPort addr) { + /** + * returns true if the SSLParameters are altered, false if not + */ + private boolean setServerNames(SSLParameters modifiedParams, HostAndPort addr) { List<SNIServerName> oldNames = modifiedParams.getServerNames(); oldNames = oldNames == null ? Collections.emptyList() : oldNames; final List<SNIServerName> serverNames = new ArrayList<>(oldNames); @@ -779,11 +788,12 @@ public class SocketCreator extends TcpSocketCreatorImpl { .mapToInt(SNIServerName::getType) .anyMatch(type -> type == StandardConstants.SNI_HOST_NAME)) { // we already have a SNI hostname set. Do nothing. - return; + return false; } serverNames.add(new SNIHostName(addr.getHostName())); modifiedParams.setServerNames(serverNames); + return true; } /**
