[
https://issues.apache.org/jira/browse/ZOOKEEPER-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266532#comment-16266532
]
ASF GitHub Bot commented on ZOOKEEPER-2949:
-------------------------------------------
GitHub user abel-von opened a pull request:
https://github.com/apache/zookeeper/pull/423
ZOOKEEPER-2949: using hostname and port to create SSLEngine
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/abel-von/zookeeper ZOOKEEPER-2949
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/423.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #423
----
commit 0014a4cba1a6657de0197f6243e35f34ab141ac1
Author: f00231050 <[email protected]>
Date: 2017-11-27T08:34:21Z
ZOOKEEPER-2949: SSL ServerName not set when using hostname, some proxies
may failed to proxy the request.
use the factory method which accepts host and port to create the SSLEngine
----
> SSL ServerName not set when using hostname, some proxies may failed to proxy
> the request.
> -----------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-2949
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2949
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Affects Versions: 3.5.3
> Environment: In our environment, the zk clusters are all behind a
> proxy, the proxy decide to transfer the request from client based on the
> "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the
> Hello packets that zk client sended do proxy do not contain the "ServerName"
> field in it. after inspect the codes, we have found that it is because that
> zk client did not specify the peerHost when initializing the SSLContext.
> Reporter: Feng Shaobao
> Fix For: 3.5.4
>
> Original Estimate: 12h
> Remaining Estimate: 12h
>
> In our environment, the zk clusters are all behind a proxy, the proxy decide
> to transfer the request from client based on the "ServerName" field in SSL
> Hello packet(the proxy served on SSL only). but the Hello packets that zk
> client sended do proxy do not contain the "ServerName" field in it. after
> inspect the codes, we have found that it is because that zk client did not
> specify the peerHost when initializing the SSLContext.
> In the method initSSL of class ZKClientPipelineFactory, it initialize the
> SSLEngine like below:
> sslEngine = sslContext.createSSLEngine();
> Actually the sslContext provide another factory method that receives the
> hostName and port parameter.
> public final SSLEngine createSSLEngine(String hostName, int port)
> If we call this method to create the SSLEngine, then the proxy will know
> which zk cluster it really want to access.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
