zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Feng Shaobao (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-2949) SSL ServerName not set when using hostname, some proxies may failed to proxy the request.
Date Mon, 27 Nov 2017 03:27:00 GMT
Feng Shaobao created ZOOKEEPER-2949:
---------------------------------------

             Summary: SSL ServerName not set when using hostname, some proxies may failed
to proxy the request.
                 Key: ZOOKEEPER-2949
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2949
             Project: ZooKeeper
          Issue Type: Bug
          Components: java client
    Affects Versions: 3.5.3
         Environment: In our environment, the zk clusters are all behind a proxy, the proxy
decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the
proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain
the "ServerName" field in it. after inspect the codes, we have found that it is because that
zk client did not specify the peerHost when initializing the SSLContext.
            Reporter: Feng Shaobao
             Fix For: 3.5.4


In the method initSSL of class ZKClientPipelineFactory, it initialize the SSLEngine like below:

sslEngine = sslContext.createSSLEngine();

Actually the sslContext provide another factory method that receives the hostName and port
parameter.

public final SSLEngine createSSLEngine(String hostName, int port)

If we call this method to create the SSLEngine, then the proxy will know which zk cluster
it really want to access.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message