Maria Makedonskaya created IGNITE-16627:
-------------------------------------------
Summary: SNI extension is missing when Java thin client is
connecting to Ignite cluster with SSL enabled
Key: IGNITE-16627
URL: https://issues.apache.org/jira/browse/IGNITE-16627
Project: Ignite
Issue Type: Bug
Components: thin client
Affects Versions: 2.11
Reporter: Maria Makedonskaya
Motivation: There are cases then ignite clients are connecting to a cluster
which is located inside Kubernetes(k8s) and k8s cluster has an ingress gateway
that routes TLS traffic using SNI extension.
Need to provide hostnames from
org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI
extention.
SSLContext for java thin client is creating in
org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly
we can use org.apache.ignite.ssl.SSLContextWrapper there to provide additional
SSLParameters(like it's done in
org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI
extension need to add hostnames via javax.net.ssl.SSLParameters#setServerNames.
Also need to check that other thin clients and thick clients add SNI to
handshake.
Possibly in
org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we
need additionally to replace
from:
{code:java}
engine = this.sslCtx.createSSLEngine();{code}
to:
{code:java}
engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(),
ses.remoteAddress().getPort()){code}
In this case, if you provide an IP address to ClientConfiguration#setAddresses
then SNI extension will be added with reverse lookup hostname. If you provide
hostname with port to ClientConfiguration#setAddresses no SNI extension will be
added.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
