Sandor Molnar created KNOX-3356:
-----------------------------------
Summary: CM service discovery won't work if CM server started
without TLS
Key: KNOX-3356
URL: https://issues.apache.org/jira/browse/KNOX-3356
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 2.1.0
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 3.0.0
DiscoveryApiClient.configureSsl() unconditionally replaces the OkHttp client's
connectionSpecs with a single TLS-only spec (ConnectionSpec.MODERN_TLS)
{{OkHttp}} matches the request URL's scheme against the allowed connection
specs. When the CM discovery address is http:// (CM TLS not enabled), there's
no ConnectionSpec.CLEARTEXT in the list, so {{OkHttp}} refuses the connection
with exactly:
{noformat}
java.net.UnknownServiceException: CLEARTEXT communication not enabled for
client{noformat}
Knox running TLS for its own gateway is unrelated — this is purely the
_outbound_ discovery client being locked to TLS regardless of the target
address.
We need to fix this issue in a way such that the current HTTPS configuration
remains untouched, and for non-TLS connections the SSL configuration should be
skipped.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
