[jira] [Comment Edited] (ZOOKEEPER-2949) SSL ServerName not set when using hostname, some proxies may failed to proxy the request.

Mon, 27 Nov 2017 01:25:50 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266548#comment-16266548
 ] 

Feng Shaobao edited comment on ZOOKEEPER-2949 at 11/27/17 9:24 AM:
-------------------------------------------------------------------

I think it is part of SSL protocol to specify the severname. anyone can help 
merging this PR?


was (Author: abel):
I think it is part of SSL protocol to specify the severname here. anyone can 
help merging this PR?

> SSL ServerName not set when using hostname, some proxies may failed to proxy 
> the request.
> -----------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2949
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2949
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client
>    Affects Versions: 3.5.3
>         Environment: In our environment, the zk clusters are all behind a 
> proxy, the proxy decide to transfer the request from client based on the 
> "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the 
> Hello packets that zk client sended do proxy do not contain the "ServerName" 
> field in it. after inspect the codes, we have found that it is because that 
> zk client did not specify the peerHost when initializing the SSLContext.
>            Reporter: Feng Shaobao
>             Fix For: 3.6.0
>
>   Original Estimate: 12h
>  Remaining Estimate: 12h
>
> In our environment, the zk clusters are all behind a proxy, the proxy decide 
> to transfer the request from client based on the "ServerName" field in SSL 
> Hello packet(the proxy served on SSL only). but the Hello packets that zk 
> client sended do proxy do not contain the "ServerName" field in it. after 
> inspect the codes, we have found that it is because that zk client did not 
> specify the peerHost when initializing the SSLContext.
> In the method initSSL of class ZKClientPipelineFactory, it initialize the 
> SSLEngine like below:
> sslEngine = sslContext.createSSLEngine();
> Actually the sslContext provide another factory method that receives the 
> hostName and port parameter.
> public final SSLEngine createSSLEngine(String hostName, int port)
> If we call this method to create the SSLEngine, then the proxy will know 
> which zk cluster it really want to access.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to