[jira] [Updated] (GEODE-396) One way SSL authentication between client and server fails

Jens Deppe (JIRA) Mon, 08 Feb 2016 08:59:08 -0800

     [ 
https://issues.apache.org/jira/browse/GEODE-396?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jens Deppe updated GEODE-396:
-----------------------------
    Description: 
If the {{server-ssl-require-authentication}} property is configured like below 
so that clients aren't required to be SSL-authenticated by the server:

On client: {{server-ssl-require-authentication=true}}
On server: {{server-ssl-require-authentication=false}}

Then, this exception occurs on the server:
{noformat}
[severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 
0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating 
peer /192.168.2.12[63,528].
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at 
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
        at 
com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
        at 
com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
        at 
com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
        at java.lang.Thread.run(Thread.java:745)
{noformat}
This happens because the {{AcceptorImpl accept}} method uses the default 
{{SocketCreator}}, not a {{SocketCreator}} configured with the {{server-ssl-*}} 
properties. The default {{SocketCreator}} is configured using the 
{{cluster-ssl-*}} properties not the {{server-ssl-*}} properties.

The attached test reproduces this issue, and the attached patch is a potential 
fix for it.

Also, if {{server-ssl-enabled=true}}, the {{AcceptorImpl}} constructor logs the 
message below. It should not be doing this since the value of javax.net.ssl 
properties can contain sensitive data.
{noformat}
[info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer 
with SSL config : Authentication Required true Ciphers any Protocols any Other 
Properties -- listing properties --
  javax.net.ssl.keyStoreType=jks
  javax.net.ssl.trustStorePassword=password
  javax.net.ssl.keyStorePassword=password
  javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
  javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
{noformat}

  was:
If the {{{server-ssl-require-authentication}}} property is configured like 
below so that clients aren't required to be SSL-authenticated by the server:

On client: {{{server-ssl-require-authentication=true}}}
On server: {{{server-ssl-require-authentication=false}}}

Then, this exception occurs on the server:
{{{
[severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 
0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating 
peer /192.168.2.12[63,528].
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at 
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
        at 
com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
        at 
com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
        at 
com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
        at java.lang.Thread.run(Thread.java:745)
}}}
This happens because the {{{AcceptorImpl accept}}} method uses the default 
{{{SocketCreator}}}, not a {{{SocketCreator}}} configured with the 
{{{server-ssl-*}}} properties. The default {{{SocketCreator}}} is configured 
using the {{{cluster-ssl-*}}} properties not the {{{server-ssl-*}}} properties.

The attached test reproduces this issue, and the attached patch is a potential 
fix for it.

Also, if {{{server-ssl-enabled=true}}}, the {{{AcceptorImpl}}} constructor logs 
the message below. It should not be doing this since the value of jaax.net.ssl 
properties can contain sensitive data.
{{{
[info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer 
with SSL config : Authentication Required true Ciphers any Protocols any Other 
Properties -- listing properties --
  javax.net.ssl.keyStoreType=jks
  javax.net.ssl.trustStorePassword=password
  javax.net.ssl.keyStorePassword=password
  javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
  javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
}}}


> One way SSL authentication between client and server fails
> ----------------------------------------------------------
>
>                 Key: GEODE-396
>                 URL: https://issues.apache.org/jira/browse/GEODE-396
>             Project: Geode
>          Issue Type: Bug
>          Components: core
>            Reporter: Darrel Schneider
>            Assignee: Darrel Schneider
>             Fix For: 1.0.0-incubating.M1
>
>
> If the {{server-ssl-require-authentication}} property is configured like 
> below so that clients aren't required to be SSL-authenticated by the server:
> On client: {{server-ssl-require-authentication=true}}
> On server: {{server-ssl-require-authentication=false}}
> Then, this exception occurs on the server:
> {noformat}
> [severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 
> 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in 
> authenticating peer /192.168.2.12[63,528].
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>       at 
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
>       at 
> com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
>       at 
> com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
>       at 
> com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
>       at java.lang.Thread.run(Thread.java:745)
> {noformat}
> This happens because the {{AcceptorImpl accept}} method uses the default 
> {{SocketCreator}}, not a {{SocketCreator}} configured with the 
> {{server-ssl-*}} properties. The default {{SocketCreator}} is configured 
> using the {{cluster-ssl-*}} properties not the {{server-ssl-*}} properties.
> The attached test reproduces this issue, and the attached patch is a 
> potential fix for it.
> Also, if {{server-ssl-enabled=true}}, the {{AcceptorImpl}} constructor logs 
> the message below. It should not be doing this since the value of 
> javax.net.ssl properties can contain sensitive data.
> {noformat}
> [info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting 
> CacheServer with SSL config : Authentication Required true Ciphers any 
> Protocols any Other Properties -- listing properties --
>   javax.net.ssl.keyStoreType=jks
>   javax.net.ssl.trustStorePassword=password
>   javax.net.ssl.keyStorePassword=password
>   javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
>   javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (GEODE-396) One way SSL authentication between client and server fails

Reply via email to