[
https://issues.apache.org/jira/browse/GEODE-574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Deppe updated GEODE-574:
-----------------------------
Component/s: (was: management)
security
gfsh
> Gfsh option --ciphers=any does not work the same as without the option
> ----------------------------------------------------------------------
>
> Key: GEODE-574
> URL: https://issues.apache.org/jira/browse/GEODE-574
> Project: Geode
> Issue Type: Bug
> Components: gfsh, security
> Reporter: Jens Deppe
>
> When using SSL, I can configure particular ciphers to be used. Usually this
> is done on the server. When a client connects, it will typically present all
> the ciphers it supports and the server will then negotiate the common cipher
> to use. Gfsh also allows a specific set of ciphers to be used. The
> documentation states that the default is "any". However the option
> {{--ciphers=any}} fails the connection whereas without the option a
> connection is made.
> I have a setup where I'm starting a Geode cluster with the following
> properties:
> {noformat}
> mcast-port=0
> cluster-ssl-enabled=true
> server-ssl-enabled=true
> jmx-manager-ssl-enabled=true
> cluster-ssl-keystore-type=jks
> cluster-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
> cluster-ssl-keystore-password=changeit
> cluster-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
> cluster-ssl-truststore-password=changeit
> cluster-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> cluster-ssl-protocols=TLSv1.2
> server-ssl-keystore-type=jks
> server-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
> server-ssl-keystore-password=changeit
> server-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
> server-ssl-truststore-password=changeit
> server-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> server-ssl-protocols=TLSv1.2
> jmx-manager-ssl-keystore-type=jks
> jmx-manager-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
> jmx-manager-ssl-keystore-password=changeit
> jmx-manager-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
> jmx-manager-ssl-truststore-password=changeit
> jmx-manager-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> jmx-manager-ssl-protocols=TLSv1.2
> {noformat}
> The keystore was created with the following command:
> {noformat}
> keytool -genkey -alias self -keypass changeit -storepass changeit -keystore
> test.jks -keyalg EC -keysize 256 -dname "CN=Trusted"
> {noformat}
> The start script is as follows:
> {noformat}
> #!/usr/bin/env bash
> set -x
> set -e
> GFSH=/Users/jdeppe/gemfire/82/bin/gfsh
> export JAVA_HOME=`/usr/libexec/java_home -v 1.8`
> pkill -9 -f ServerLauncher || true
> pkill -9 -f LocatorLauncher || true
> rm -rf locator1/*
> rm -rf server1/*
> $GFSH start locator \
> --name=locator1 \
> --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties \
> --port=19991
> $GFSH start server \
> --name=server1 \
> --locators=localhost[19991] \
> --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties
> {noformat}
> If I run gfsh as follows it is able to connect:
> {noformat}
> $GFSH -e "connect --protocols=TLSv1.2 --locator=localhost[19991] --use-ssl
> --key-store=$PWD/trusted.jks --trust-store=$PWD/trusted.jks
> --key-store-password=changeit --trust-store-password=changeit" -e "list
> members"
> {noformat}
> However, if I add the option {{--ciphers=any}} to the command above it is not
> able to connect.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
