Hi we are using Curator/ZK in a setup where all client-server traffic is using SSL.
Now, we are trying to switch to DynamicConfiguration on the server side. We are aware that the Config-Events for the EnsembleTracker currently only contain the cleartext port, not the SSL port (see https://issues.apache.org/jira/browse/ZOOKEEPER-3166). With a custom EnsembleProvider that overwrites the setConnectString() method and with a convention (we always use 2181 for cleartext and 2281 for SSL), we have worked around this limitation. But we are hitting another problem now: The configToConnectionString method in the EnsembleTracker basically takes the hostnames/aliases from the config events, and generates a connectionString with IP addresses. Unfortunately, in our dynamic network environment, we mainly use DNS aliases, and the IP addresses don't necessarily resolve to the aliases. And our SSL certificates only contain the DNS aliases, not the IP adresses or the physical hostnames. This leads now to a situation where after a config event is received, Curator creates new ZK instances with a connect string that contains IP addresses. And then ZK refuses to connect because it can't verify the server certificate hostnames. io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem ..... Caused by: java.security.cert.CertificateException: Failed to verify both host address and host name at org.apache.zookeeper.common.ZKTrustManager.performHostVerification(ZKTrustManager.java:145) at org.apache.zookeeper.common.ZKTrustManager.checkServerTrusted(ZKTrustManager.java:104) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ... 30 common frames omitted Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <physicalhostname> doesn't match any of the subject alternative names: [DNSAlias] at org.apache.zookeeper.common.ZKHostnameVerifier.matchDNSName(ZKHostnameVerifier.java:224) at org.apache.zookeeper.common.ZKHostnameVerifier.verify(ZKHostnameVerifier.java:170) at org.apache.zookeeper.common.ZKTrustManager.performHostVerification(ZKTrustManager.java:141) Of course, we could turn off SSL hostname verification, but we'd rather not do that. ssl.hostnameVerification=false ssl.quorum.hostnameVerification=false What is the reason the EnsembleTracker translates the hostnames/aliases from the config event to IP adresses? I understand that this does not cause issues with plaintext communication, but is easily breaks any dynamic SSL environment. Do you have any recommendation how I can fix this? CU, Joe
