[jira] [Created] (GEODE-396) One way SSL authentication between client and server fails

Mon, 12 Oct 2015 17:17:31 -0700 

Darrel Schneider created GEODE-396:
--------------------------------------

             Summary: One way SSL authentication between client and server fails
                 Key: GEODE-396
                 URL: https://issues.apache.org/jira/browse/GEODE-396
             Project: Geode
          Issue Type: Bug
          Components: core
            Reporter: Darrel Schneider
            Assignee: Darrel Schneider


If the {{{server-ssl-require-authentication}}} property is configured like 
below so that clients aren't required to be SSL-authenticated by the server:

On client: {{{server-ssl-require-authentication=true}}}
On server: {{{server-ssl-require-authentication=false}}}

Then, this exception occurs on the server:
{{{
[severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 
0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating 
peer /192.168.2.12[63,528].
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at 
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
        at 
com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
        at 
com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
        at 
com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
        at java.lang.Thread.run(Thread.java:745)
}}}
This happens because the {{{AcceptorImpl accept}}} method uses the default 
{{{SocketCreator}}}, not a {{{SocketCreator}}} configured with the 
{{{server-ssl-*}}} properties. The default {{{SocketCreator}}} is configured 
using the {{{cluster-ssl-*}}} properties not the {{{server-ssl-*}}} properties.

The attached test reproduces this issue, and the attached patch is a potential 
fix for it.

Also, if {{{server-ssl-enabled=true}}}, the {{{AcceptorImpl}}} constructor logs 
the message below. It should not be doing this since the value of jaax.net.ssl 
properties can contain sensitive data.
{{{
[info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer 
with SSL config : Authentication Required true Ciphers any Protocols any Other 
Properties -- listing properties --
  javax.net.ssl.keyStoreType=jks
  javax.net.ssl.trustStorePassword=password
  javax.net.ssl.keyStorePassword=password
  javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
  javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
}}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to