[jira] [Updated] (GEODE-396) One way SSL authentication between client and server fails

Thu, 07 Jan 2016 20:41:38 -0800 

     [ 
https://issues.apache.org/jira/browse/GEODE-396?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Anthony Baker updated GEODE-396:
--------------------------------
    Fix Version/s: 1.0.0-alpha1

> One way SSL authentication between client and server fails
> ----------------------------------------------------------
>
>                 Key: GEODE-396
>                 URL: https://issues.apache.org/jira/browse/GEODE-396
>             Project: Geode
>          Issue Type: Bug
>          Components: core
>            Reporter: Darrel Schneider
>            Assignee: Darrel Schneider
>             Fix For: 1.0.0-alpha1
>
>
> If the {{{server-ssl-require-authentication}}} property is configured like 
> below so that clients aren't required to be SSL-authenticated by the server:
> On client: {{{server-ssl-require-authentication=true}}}
> On server: {{{server-ssl-require-authentication=false}}}
> Then, this exception occurs on the server:
> {{{
> [severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 
> 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in 
> authenticating peer /192.168.2.12[63,528].
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>       at 
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
>       at 
> com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
>       at 
> com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
>       at 
> com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
>       at java.lang.Thread.run(Thread.java:745)
> }}}
> This happens because the {{{AcceptorImpl accept}}} method uses the default 
> {{{SocketCreator}}}, not a {{{SocketCreator}}} configured with the 
> {{{server-ssl-*}}} properties. The default {{{SocketCreator}}} is configured 
> using the {{{cluster-ssl-*}}} properties not the {{{server-ssl-*}}} 
> properties.
> The attached test reproduces this issue, and the attached patch is a 
> potential fix for it.
> Also, if {{{server-ssl-enabled=true}}}, the {{{AcceptorImpl}}} constructor 
> logs the message below. It should not be doing this since the value of 
> jaax.net.ssl properties can contain sensitive data.
> {{{
> [info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting 
> CacheServer with SSL config : Authentication Required true Ciphers any 
> Protocols any Other Properties -- listing properties --
>   javax.net.ssl.keyStoreType=jks
>   javax.net.ssl.trustStorePassword=password
>   javax.net.ssl.keyStorePassword=password
>   javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
>   javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
> }}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to