[jira] [Work logged] (KNOX-3356) CM service discovery won't work if CM server started without TLS

Fri, 19 Jun 2026 07:12:09 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3356?focusedWorklogId=1026010&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026010
 ]

ASF GitHub Bot logged work on KNOX-3356:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Jun/26 14:11
            Start Date: 19/Jun/26 14:11
    Worklog Time Spent: 10m 
      Work Description: github-actions[bot] commented on PR #1272:
URL: https://github.com/apache/knox/pull/1272#issuecomment-4752279786

   ## Test Results
   22 tests   22 ✅  2s ⏱️
    1 suites   0 💤
    1 files     0 ❌
   
   Results for commit dfef0ab3.
   
   
[test-results]:data:application/gzip;base64,H4sIAPNNNWoC/12Myw6DIBBFf8Ww7gJhIrQ/0yAwyaQqDY+V6b8XbUO1u3vOTc7KkCaf2K3rLx1LhXIDV6LJFJaKomI98naJBvdUrP0zD3pWw5tAQ9NJ+BhD/JpYllbc9in4Eb/ezofczseaDfNMuQJz6JGbUYKEQSglB6ERNDo/Wu4k9M540Fel2OsNuR257v8AAAA=
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1026010)
    Time Spent: 20m  (was: 10m)

> CM service discovery won't work if CM server started without TLS
> ----------------------------------------------------------------
>
>                 Key: KNOX-3356
>                 URL: https://issues.apache.org/jira/browse/KNOX-3356
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> DiscoveryApiClient.configureSsl() unconditionally replaces the OkHttp 
> client's connectionSpecs with a single TLS-only spec 
> (ConnectionSpec.MODERN_TLS)
> {{OkHttp}} matches the request URL's scheme against the allowed connection 
> specs. When the CM discovery address is http:// (CM TLS not enabled), there's 
> no ConnectionSpec.CLEARTEXT in the list, so {{OkHttp}} refuses the connection 
> with exactly:
> {noformat}
> java.net.UnknownServiceException: CLEARTEXT communication not enabled for 
> client{noformat}
> Knox running TLS for its own gateway is unrelated — this is purely the 
> _outbound_ discovery client being locked to TLS regardless of the target 
> address.
> We need to fix this issue in a way such that the current HTTPS configuration 
> remains untouched, and for non-TLS connections the SSL configuration should 
> be skipped.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to