[GitHub] rdhabalia commented on a change in pull request #3486: [pulsar-broker] separate broker-client config to allow-insecure-cnx for broker replication

[GitBox]

rdhabalia commented on a change in pull request #3486: [pulsar-broker] separate 
broker-client config to allow-insecure-cnx for broker replication
URL: https://github.com/apache/pulsar/pull/3486#discussion_r252797594
 
 

 ##########
 File path: conf/broker.conf
 ##########
 @@ -255,6 +255,10 @@ tlsTrustCertsFilePath=
 # though the cert will not be used for client authentication.
 tlsAllowInsecureConnection=false
 
+# Allow insecured tls connection for outgoing connection to a server (broker) 
+# (eg: to avoid hostname-verification)
+brokerClientTlsAllowInsecureConnection=false
 
 Review comment:
   > Actually, the "insecure connection" setting in the client lib would mean 
to not validate the server certificate. This is different from hostname 
verification
   
   That's correct. however, issue is:
   - Pulsar client uses AsyncHttpClient that by default does hostname 
verification and matches server's SAN with the hostname and if doesn't match 
then it throws below exception
   ```
   Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at 
io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:634)
        at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
        at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:486)
        at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1025)
        at 
io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1132)
        at 
io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:211)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1257)
        at 
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1159)
        ... 19 more
   Caused by: java.security.cert.CertificateException: No subject alternative 
DNS name matching localhost found.
        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:204)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
        at 
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
        at 
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
        at 
io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:221)
        at 
io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:630)
        ... 26 more
   ``` 
   
   and client fails to complete handshake with broker:
   ```
   0:53:11.250 
[pulsar-client-io-27-1:org.apache.pulsar.client.impl.PulsarClientImpl@343] WARN 
 org.apache.pulsar.client.impl.PulsarClientImpl - 
[persistent://my-property/use/my-ns/my-topic1] Failed to get partitioned topic 
metadata
   java.util.concurrent.CompletionException: 
org.apache.pulsar.client.api.PulsarClientException: 
java.util.concurrent.ExecutionException: java.net.ConnectException: General 
OpenSslEngine problem
        at 
java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:292)
 ~[?:1.8.0_92]
        at 
java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:308)
 ~[?:1.8.0_92]
        at 
java.util.concurrent.CompletableFuture.uniAccept(CompletableFuture.java:647) 
~[?:1.8.0_92]
        at 
java.util.concurrent.CompletableFuture$UniAccept.tryFire(CompletableFuture.java:632)
 ~[?:1.8.0_92]
        at 
java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) 
~[?:1.8.0_92]
        at 
java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:1977)
 ~[?:1.8.0_92]
        at 
org.apache.pulsar.client.impl.HttpClient.lambda$0(HttpClient.java:179) 
~[classes/:?]
        at 
org.asynchttpclient.netty.NettyResponseFuture.lambda$addListener$0(NettyResponseFuture.java:298)
 ~[async-http-client-2.1.0-alpha26.jar:?]
   ```
   
   
   **How to fix it?**
   Set insecure-trust-manager at HttpClient: 
[confBuilder.setUseInsecureTrustManager(tlsAllowInsecureConnection);](https://github.com/apache/pulsar/blob/master/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java#L106)
 and at broker:
   broker should set `allowTlsInsecureConnection` config for the client.
   
[.allowTlsInsecureConnection(pulsar.getConfiguration().isTlsAllowInsecureConnection());](https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java#L566)
   
   Now, everywhere we have kept name `allowTlsInsecureConnection` to disable 
this option so, I have introduced config: 
`brokerClientTlsAllowInsecureConnection`.
   
   Alternatively, we can change the name to 
`brokerClientHostnameVerificationEnable` which can be enable by default. will 
that be fine?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services