[
https://issues.apache.org/jira/browse/ZOOKEEPER-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Feng Shaobao updated ZOOKEEPER-2949:
------------------------------------
Description:
In our environment, the zk clusters are all behind a proxy, the proxy decide to
transfer the request from client based on the "ServerName" field in SSL Hello
packet(the proxy served on SSL only). but the Hello packets that zk client
sended do proxy do not contain the "ServerName" field in it. after inspect the
codes, we have found that it is because that zk client did not specify the
peerHost when initializing the SSLContext.
In the method initSSL of class ZKClientPipelineFactory, it initialize the
SSLEngine like below:
sslEngine = sslContext.createSSLEngine();
Actually the sslContext provide another factory method that receives the
hostName and port parameter.
public final SSLEngine createSSLEngine(String hostName, int port)
If we call this method to create the SSLEngine, then the proxy will know which
zk cluster it really want to access.
was:
In the method initSSL of class ZKClientPipelineFactory, it initialize the
SSLEngine like below:
sslEngine = sslContext.createSSLEngine();
Actually the sslContext provide another factory method that receives the
hostName and port parameter.
public final SSLEngine createSSLEngine(String hostName, int port)
If we call this method to create the SSLEngine, then the proxy will know which
zk cluster it really want to access.
> SSL ServerName not set when using hostname, some proxies may failed to proxy
> the request.
> -----------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-2949
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2949
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Affects Versions: 3.5.3
> Environment: In our environment, the zk clusters are all behind a
> proxy, the proxy decide to transfer the request from client based on the
> "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the
> Hello packets that zk client sended do proxy do not contain the "ServerName"
> field in it. after inspect the codes, we have found that it is because that
> zk client did not specify the peerHost when initializing the SSLContext.
> Reporter: Feng Shaobao
> Fix For: 3.5.4
>
> Original Estimate: 12h
> Remaining Estimate: 12h
>
> In our environment, the zk clusters are all behind a proxy, the proxy decide
> to transfer the request from client based on the "ServerName" field in SSL
> Hello packet(the proxy served on SSL only). but the Hello packets that zk
> client sended do proxy do not contain the "ServerName" field in it. after
> inspect the codes, we have found that it is because that zk client did not
> specify the peerHost when initializing the SSLContext.
> In the method initSSL of class ZKClientPipelineFactory, it initialize the
> SSLEngine like below:
> sslEngine = sslContext.createSSLEngine();
> Actually the sslContext provide another factory method that receives the
> hostName and port parameter.
> public final SSLEngine createSSLEngine(String hostName, int port)
> If we call this method to create the SSLEngine, then the proxy will know
> which zk cluster it really want to access.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
