[
https://issues.apache.org/jira/browse/KNOX-3356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18090251#comment-18090251
]
ASF subversion and git services commented on KNOX-3356:
-------------------------------------------------------
Commit c3f55243fba023261ae91b80b5534aaa460ed114 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=c3f55243f ]
KNOX-3356: Allow Cloudera Manager service discovery over cleartext HTTP (#1272)
> CM service discovery won't work if CM server started without TLS
> ----------------------------------------------------------------
>
> Key: KNOX-3356
> URL: https://issues.apache.org/jira/browse/KNOX-3356
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> DiscoveryApiClient.configureSsl() unconditionally replaces the OkHttp
> client's connectionSpecs with a single TLS-only spec
> (ConnectionSpec.MODERN_TLS)
> {{OkHttp}} matches the request URL's scheme against the allowed connection
> specs. When the CM discovery address is http:// (CM TLS not enabled), there's
> no ConnectionSpec.CLEARTEXT in the list, so {{OkHttp}} refuses the connection
> with exactly:
> {noformat}
> java.net.UnknownServiceException: CLEARTEXT communication not enabled for
> client{noformat}
> Knox running TLS for its own gateway is unrelated — this is purely the
> _outbound_ discovery client being locked to TLS regardless of the target
> address.
> We need to fix this issue in a way such that the current HTTPS configuration
> remains untouched, and for non-TLS connections the SSL configuration should
> be skipped.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
