[
https://issues.apache.org/jira/browse/KNOX-3356?focusedWorklogId=1026028&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026028
]
ASF GitHub Bot logged work on KNOX-3356:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/Jun/26 15:46
Start Date: 19/Jun/26 15:46
Worklog Time Spent: 10m
Work Description: smolnar82 commented on PR #1272:
URL: https://github.com/apache/knox/pull/1272#issuecomment-4752999175
> Why are there CM deployments without TLS?
This is a really good question!
Issue Time Tracking
-------------------
Worklog Id: (was: 1026028)
Time Spent: 40m (was: 0.5h)
> CM service discovery won't work if CM server started without TLS
> ----------------------------------------------------------------
>
> Key: KNOX-3356
> URL: https://issues.apache.org/jira/browse/KNOX-3356
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> DiscoveryApiClient.configureSsl() unconditionally replaces the OkHttp
> client's connectionSpecs with a single TLS-only spec
> (ConnectionSpec.MODERN_TLS)
> {{OkHttp}} matches the request URL's scheme against the allowed connection
> specs. When the CM discovery address is http:// (CM TLS not enabled), there's
> no ConnectionSpec.CLEARTEXT in the list, so {{OkHttp}} refuses the connection
> with exactly:
> {noformat}
> java.net.UnknownServiceException: CLEARTEXT communication not enabled for
> client{noformat}
> Knox running TLS for its own gateway is unrelated — this is purely the
> _outbound_ discovery client being locked to TLS regardless of the target
> address.
> We need to fix this issue in a way such that the current HTTPS configuration
> remains untouched, and for non-TLS connections the SSL configuration should
> be skipped.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
