geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Deppe (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (GEODE-574) Gfsh option --ciphers=any does not work the same as without the option
Date Wed, 18 Nov 2015 15:03:10 GMT

     [ https://issues.apache.org/jira/browse/GEODE-574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jens Deppe updated GEODE-574:
-----------------------------
    Description: 
When using SSL, I can configure particular ciphers to be used. Usually this is done on the
server. When a client connects, it will typically present all the ciphers it supports and
the server will then negotiate the common cipher to use. Gfsh also allows a specific set of
ciphers to be used. The documentation states that the default is "any". However the option
{{--ciphers=any}} fails the connection whereas without the option a connection is made.

I have a setup where I'm starting a Geode cluster with the following properties:
{noformat}
mcast-port=0
cluster-ssl-enabled=true
server-ssl-enabled=true
jmx-manager-ssl-enabled=true

cluster-ssl-keystore-type=jks
cluster-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
cluster-ssl-keystore-password=changeit
cluster-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
cluster-ssl-truststore-password=changeit
cluster-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
cluster-ssl-protocols=TLSv1.2

server-ssl-keystore-type=jks
server-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
server-ssl-keystore-password=changeit
server-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
server-ssl-truststore-password=changeit
server-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
server-ssl-protocols=TLSv1.2

jmx-manager-ssl-keystore-type=jks
jmx-manager-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
jmx-manager-ssl-keystore-password=changeit
jmx-manager-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
jmx-manager-ssl-truststore-password=changeit
jmx-manager-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
jmx-manager-ssl-protocols=TLSv1.2
{noformat}

The keystore was created with the following command:
{noformat}
keytool -genkey -alias self -keypass changeit -storepass changeit -keystore test.jks -keyalg
EC -keysize 256 -dname "CN=Trusted"
{noformat}

The start script is as follows:

{noformat}
#!/usr/bin/env bash

set -x
set -e

GFSH=/Users/jdeppe/gemfire/82/bin/gfsh
export JAVA_HOME=`/usr/libexec/java_home -v 1.8`

pkill -9 -f ServerLauncher || true
pkill -9 -f LocatorLauncher || true

rm -rf locator1/*
rm -rf server1/*

$GFSH start locator \
  --name=locator1 \
  --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties \
  --port=19991

$GFSH start server \
  --name=server1 \
  --locators=localhost[19991] \
  --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties
{noformat}

If I run gfsh as follows it is able to connect:
{noformat}
$GFSH -e "connect --protocols=TLSv1.2 --locator=localhost[19991] --use-ssl --key-store=$PWD/trusted.jks
--trust-store=$PWD/trusted.jks --key-store-password=changeit --trust-store-password=changeit"
-e "list members"
{noformat}

However, if I add the option {{--ciphers=any}} to the command above it is not able to connect.

  was:
When using SSL, I can configure particular ciphers to be used. Usually this is done on the
server. When a client connects, it will typically present all the ciphers it supports and
the server will then negotiate the common cipher to use. Gfsh also allows a specific set of
ciphers to be used. The documentation states that the default is "any". However the option
{{--ciphers=any}} fails the connection whereas without the option a connection is made.

I have a setup where I'm starting a Geode cluster with the following properties:
{noformat}
mcast-port=0
cluster-ssl-enabled=true
server-ssl-enabled=true
jmx-manager-ssl-enabled=true

cluster-ssl-keystore-type=jks
cluster-ssl-keystore=/Users/jdeppe/debug/citi-ssl/trusted.jks
cluster-ssl-keystore-password=changeit
cluster-ssl-truststore=/Users/jdeppe/debug/citi-ssl/trusted.jks
cluster-ssl-truststore-password=changeit
cluster-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
cluster-ssl-protocols=TLSv1.2

server-ssl-keystore-type=jks
server-ssl-keystore=/Users/jdeppe/debug/citi-ssl/trusted.jks
server-ssl-keystore-password=changeit
server-ssl-truststore=/Users/jdeppe/debug/citi-ssl/trusted.jks
server-ssl-truststore-password=changeit
server-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
server-ssl-protocols=TLSv1.2

jmx-manager-ssl-keystore-type=jks
jmx-manager-ssl-keystore=/Users/jdeppe/debug/citi-ssl/trusted.jks
jmx-manager-ssl-keystore-password=changeit
jmx-manager-ssl-truststore=/Users/jdeppe/debug/citi-ssl/trusted.jks
jmx-manager-ssl-truststore-password=changeit
jmx-manager-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
jmx-manager-ssl-protocols=TLSv1.2
{noformat}

The keystore was created with the following command:
{noformat}
keytool -genkey -alias self -keypass changeit -storepass changeit -keystore test.jks -keyalg
EC -keysize 256 -dname "CN=Trusted"
{noformat}

The start script is as follows:

{noformat}
#!/usr/bin/env bash

set -x
set -e

GFSH=/Users/jdeppe/gemfire/82/bin/gfsh
export JAVA_HOME=`/usr/libexec/java_home -v 1.8`

pkill -9 -f ServerLauncher || true
pkill -9 -f LocatorLauncher || true

rm -rf locator1/*
rm -rf server1/*

$GFSH start locator \
  --name=locator1 \
  --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties \
  --port=19991

$GFSH start server \
  --name=server1 \
  --locators=localhost[19991] \
  --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties
{noformat}

If I run gfsh as follows it is able to connect:
{noformat}
$GFSH -e "connect --protocols=TLSv1.2 --locator=localhost[19991] --use-ssl --key-store=$PWD/trusted.jks
--trust-store=$PWD/trusted.jks --key-store-password=changeit --trust-store-password=changeit"
-e "list members"
{noformat}

However, if I add the option {{--ciphers=any}} to the command above it is not able to connect.


> Gfsh option --ciphers=any does not work the same as without the option
> ----------------------------------------------------------------------
>
>                 Key: GEODE-574
>                 URL: https://issues.apache.org/jira/browse/GEODE-574
>             Project: Geode
>          Issue Type: Bug
>          Components: management
>            Reporter: Jens Deppe
>
> When using SSL, I can configure particular ciphers to be used. Usually this is done on
the server. When a client connects, it will typically present all the ciphers it supports
and the server will then negotiate the common cipher to use. Gfsh also allows a specific set
of ciphers to be used. The documentation states that the default is "any". However the option
{{--ciphers=any}} fails the connection whereas without the option a connection is made.
> I have a setup where I'm starting a Geode cluster with the following properties:
> {noformat}
> mcast-port=0
> cluster-ssl-enabled=true
> server-ssl-enabled=true
> jmx-manager-ssl-enabled=true
> cluster-ssl-keystore-type=jks
> cluster-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
> cluster-ssl-keystore-password=changeit
> cluster-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
> cluster-ssl-truststore-password=changeit
> cluster-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> cluster-ssl-protocols=TLSv1.2
> server-ssl-keystore-type=jks
> server-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
> server-ssl-keystore-password=changeit
> server-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
> server-ssl-truststore-password=changeit
> server-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> server-ssl-protocols=TLSv1.2
> jmx-manager-ssl-keystore-type=jks
> jmx-manager-ssl-keystore=/Users/jdeppe/debug/ssl/trusted.jks
> jmx-manager-ssl-keystore-password=changeit
> jmx-manager-ssl-truststore=/Users/jdeppe/debug/ssl/trusted.jks
> jmx-manager-ssl-truststore-password=changeit
> jmx-manager-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> jmx-manager-ssl-protocols=TLSv1.2
> {noformat}
> The keystore was created with the following command:
> {noformat}
> keytool -genkey -alias self -keypass changeit -storepass changeit -keystore test.jks
-keyalg EC -keysize 256 -dname "CN=Trusted"
> {noformat}
> The start script is as follows:
> {noformat}
> #!/usr/bin/env bash
> set -x
> set -e
> GFSH=/Users/jdeppe/gemfire/82/bin/gfsh
> export JAVA_HOME=`/usr/libexec/java_home -v 1.8`
> pkill -9 -f ServerLauncher || true
> pkill -9 -f LocatorLauncher || true
> rm -rf locator1/*
> rm -rf server1/*
> $GFSH start locator \
>   --name=locator1 \
>   --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties \
>   --port=19991
> $GFSH start server \
>   --name=server1 \
>   --locators=localhost[19991] \
>   --properties-file=/Users/jdeppe/debug/ssl/conf/gemfire.properties
> {noformat}
> If I run gfsh as follows it is able to connect:
> {noformat}
> $GFSH -e "connect --protocols=TLSv1.2 --locator=localhost[19991] --use-ssl --key-store=$PWD/trusted.jks
--trust-store=$PWD/trusted.jks --key-store-password=changeit --trust-store-password=changeit"
-e "list members"
> {noformat}
> However, if I add the option {{--ciphers=any}} to the command above it is not able to
connect.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message