Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 44EAF200D57 for ; Mon, 27 Nov 2017 04:28:05 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 434A0160C00; Mon, 27 Nov 2017 03:28:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 89426160BFF for ; Mon, 27 Nov 2017 04:28:04 +0100 (CET) Received: (qmail 43552 invoked by uid 500); 27 Nov 2017 03:28:03 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 43540 invoked by uid 99); 27 Nov 2017 03:28:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Nov 2017 03:28:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A6AEB1A0EFB for ; Mon, 27 Nov 2017 03:28:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id MJpRWzf7la48 for ; Mon, 27 Nov 2017 03:28:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 1EE625F1A0 for ; Mon, 27 Nov 2017 03:28:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 88D36E0942 for ; Mon, 27 Nov 2017 03:28:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 0AFF623F1D for ; Mon, 27 Nov 2017 03:28:00 +0000 (UTC) Date: Mon, 27 Nov 2017 03:28:00 +0000 (UTC) From: "Feng Shaobao (JIRA)" To: dev@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (ZOOKEEPER-2949) SSL ServerName not set when using hostname, some proxies may failed to proxy the request. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 27 Nov 2017 03:28:05 -0000 [ https://issues.apache.org/jira/browse/ZOOKEEPER-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Feng Shaobao updated ZOOKEEPER-2949: ------------------------------------ Description: In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext. In the method initSSL of class ZKClientPipelineFactory, it initialize the SSLEngine like below: sslEngine = sslContext.createSSLEngine(); Actually the sslContext provide another factory method that receives the hostName and port parameter. public final SSLEngine createSSLEngine(String hostName, int port) If we call this method to create the SSLEngine, then the proxy will know which zk cluster it really want to access. was: In the method initSSL of class ZKClientPipelineFactory, it initialize the SSLEngine like below: sslEngine = sslContext.createSSLEngine(); Actually the sslContext provide another factory method that receives the hostName and port parameter. public final SSLEngine createSSLEngine(String hostName, int port) If we call this method to create the SSLEngine, then the proxy will know which zk cluster it really want to access. > SSL ServerName not set when using hostname, some proxies may failed to proxy the request. > ----------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-2949 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2949 > Project: ZooKeeper > Issue Type: Bug > Components: java client > Affects Versions: 3.5.3 > Environment: In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext. > Reporter: Feng Shaobao > Fix For: 3.5.4 > > Original Estimate: 12h > Remaining Estimate: 12h > > In our environment, the zk clusters are all behind a proxy, the proxy decide to transfer the request from client based on the "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the Hello packets that zk client sended do proxy do not contain the "ServerName" field in it. after inspect the codes, we have found that it is because that zk client did not specify the peerHost when initializing the SSLContext. > In the method initSSL of class ZKClientPipelineFactory, it initialize the SSLEngine like below: > sslEngine = sslContext.createSSLEngine(); > Actually the sslContext provide another factory method that receives the hostName and port parameter. > public final SSLEngine createSSLEngine(String hostName, int port) > If we call this method to create the SSLEngine, then the proxy will know which zk cluster it really want to access. -- This message was sent by Atlassian JIRA (v6.4.14#64029)