The reasoning is lost to history. I think Ioannis worked on that feature. In any event, a PR that makes configToConnectionString() non-static and overridable would be a nice addition I think. Please open an Jira Issue and a PR.
-Jordan > On Apr 1, 2020, at 6:15 PM, Joe Ammann <j...@pyx.ch> wrote: > > Hi > > we are using Curator/ZK in a setup where all client-server traffic is using > SSL. > > Now, we are trying to switch to DynamicConfiguration on the server side. We > are aware that the Config-Events for the EnsembleTracker currently only > contain the cleartext port, not the SSL port (see > https://issues.apache.org/jira/browse/ZOOKEEPER-3166 > <https://issues.apache.org/jira/browse/ZOOKEEPER-3166>). With a custom > EnsembleProvider that overwrites the setConnectString() method and with a > convention (we always use 2181 for cleartext and 2281 for SSL), we have > worked around this limitation. > > But we are hitting another problem now: The configToConnectionString method > in the EnsembleTracker basically takes the hostnames/aliases from the config > events, and generates a connectionString with IP addresses. Unfortunately, in > our dynamic network environment, we mainly use DNS aliases, and the IP > addresses don't necessarily resolve to the aliases. And our SSL certificates > only contain the DNS aliases, not the IP adresses or the physical hostnames. > > This leads now to a situation where after a config event is received, Curator > creates new ZK instances with a connect string that contains IP addresses. > And then ZK refuses to connect because it can't verify the server certificate > hostnames. > > io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: > General SSLEngine problem > ..... > Caused by: java.security.cert.CertificateException: Failed to verify both > host address and host name > at > org.apache.zookeeper.common.ZKTrustManager.performHostVerification(ZKTrustManager.java:145) > at > org.apache.zookeeper.common.ZKTrustManager.checkServerTrusted(ZKTrustManager.java:104) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) > ... 30 common frames omitted > Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for > <physicalhostname> doesn't match any of the subject alternative names: > [DNSAlias] > at > org.apache.zookeeper.common.ZKHostnameVerifier.matchDNSName(ZKHostnameVerifier.java:224) > at > org.apache.zookeeper.common.ZKHostnameVerifier.verify(ZKHostnameVerifier.java:170) > at > org.apache.zookeeper.common.ZKTrustManager.performHostVerification(ZKTrustManager.java:141) > > Of course, we could turn off SSL hostname verification, but we'd rather not > do that. > > ssl.hostnameVerification=false > ssl.quorum.hostnameVerification=false > > What is the reason the EnsembleTracker translates the hostnames/aliases from > the config event to IP adresses? I understand that this does not cause issues > with plaintext communication, but is easily breaks any dynamic SSL > environment. > > Do you have any recommendation how I can fix this? > > CU, Joe >
