You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "sophie (Jira)" <ji...@apache.org> on 2020/01/02 09:30:00 UTC
[jira] [Commented] (GEODE-6740) TLS endpoint identification fails
using hostnames
[ https://issues.apache.org/jira/browse/GEODE-6740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17006690#comment-17006690 ]
sophie commented on GEODE-6740:
-------------------------------
Excuse me, has this bug been fixed in a later version? Or need we still do the same workaround ? Thx.
> TLS endpoint identification fails using hostnames
> -------------------------------------------------
>
> Key: GEODE-6740
> URL: https://issues.apache.org/jira/browse/GEODE-6740
> Project: Geode
> Issue Type: Bug
> Components: core
> Affects Versions: 1.8.0
> Reporter: Ken Howe
> Assignee: Charlie Black
> Priority: Major
> Labels: GeodeCommons, security
>
> Tried to start a cluster with the following Geode security properties.
> {code}
> ssl-enabled-components=cluster,web,jmx,locator,server
> ssl-endpoint-identification-enabled=true
> {code}
> The certificate has the valid hostname wildcard as the SAN list.
> All the Geode config files and parameters use this hostname.
> {code}
> -Dgemfire.locators=3177423e-d7dd-4b27-932d-d33b4bdf5783.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh[55221],983d2e55-988e-437d-8b10-8b3dffc8cc82.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh[55221],8c222f26-22da-4e42-8d1e-e13a86808600.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh[55221]
> {code}
> {code}
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 21:fc:3f:07:bc:47:5b:46:e3:07:da:c3:39:27:45:c4:83:67:39:4d
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN=gemfire-ssl
> Validity
> Not Before: May 2 21:43:51 2019 GMT
> Not After : May 1 21:43:51 2020 GMT
> Subject: CN=gemfire-locator-ssl
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> B8:84:1E:B6:74:C3:B4:BC:61:88:93:52:27:71:E2:92:EA:72:85:C4
> X509v3 Subject Alternative Name:
> DNS:*.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh
> X509v3 Authority Key Identifier:
> keyid:41:33:74:8E:ED:6D:94:2E:B1:9C:01:68:9B:6F:3C:B7:AF:5A:ED:6C
> X509v3 Basic Constraints: critical
> CA:FALSE
> {code}
> This resulted in the error starting up the locators
> {code}
> [severe 2019/05/02 19:45:54.422 UTC locator-707059cc-9aad-47a9-8fa9-b045a14d5b80 <main> tid=0x1] SSL Error in connecting to peer /10.0.8.9[55222].
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.8.9 found
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> at org.apache.geode.internal.net.SocketCreator.configureClientSSLSocket(SocketCreator.java:1069)
> at org.apache.geode.internal.net.SocketCreator.connect(SocketCreator.java:932)
> at org.apache.geode.internal.net.SocketCreator.connect(SocketCreator.java:894)
> at org.apache.geode.internal.net.SocketCreator.connectForServer(SocketCreator.java:873)
> at org.apache.geode.internal.tcp.Connection.<init>(Connection.java:1264)
> at org.apache.geode.internal.tcp.Connection.createSender(Connection.java:1066)
> at org.apache.geode.internal.tcp.ConnectionTable.handleNewPendingConnection(ConnectionTable.java:305)
> at org.apache.geode.internal.tcp.ConnectionTable.getSharedConnection(ConnectionTable.java:413)
> at org.apache.geode.internal.tcp.ConnectionTable.get(ConnectionTable.java:598)
> at org.apache.geode.internal.tcp.TCPConduit.getConnection(TCPConduit.java:947)
> at org.apache.geode.distributed.internal.direct.DirectChannel.getConnections(DirectChannel.java:557)
> at org.apache.geode.distributed.internal.direct.DirectChannel.sendToMany(DirectChannel.java:336)
> at org.apache.geode.distributed.internal.direct.DirectChannel.sendToOne(DirectChannel.java:251)
> at org.apache.geode.distributed.internal.direct.DirectChannel.send(DirectChannel.java:616)
> at org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.directChannelSend(GMSMembershipManager.java:1686)
> at org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.send(GMSMembershipManager.java:1864)
> at org.apache.geode.distributed.internal.ClusterDistributionManager.sendViaMembershipManager(ClusterDistributionManager.java:2865)
> at org.apache.geode.distributed.internal.ClusterDistributionManager.sendOutgoing(ClusterDistributionManager.java:2785)
> at org.apache.geode.distributed.internal.StartupOperation.sendStartupMessage(StartupOperation.java:75)
> at org.apache.geode.distributed.internal.ClusterDistributionManager.sendStartupMessage(ClusterDistributionManager.java:2248)
> at org.apache.geode.distributed.internal.ClusterDistributionManager.create(ClusterDistributionManager.java:567)
> at org.apache.geode.distributed.internal.InternalDistributedSystem.initialize(InternalDistributedSystem.java:769)
> at org.apache.geode.distributed.internal.InternalDistributedSystem.newInstance(InternalDistributedSystem.java:362)
> at org.apache.geode.distributed.internal.InternalDistributedSystem.newInstance(InternalDistributedSystem.java:348)
> at org.apache.geode.distributed.internal.InternalDistributedSystem.newInstance(InternalDistributedSystem.java:342)
> at org.apache.geode.distributed.DistributedSystem.connect(DistributedSystem.java:215)
> at org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:630)
> at org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:309)
> at org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:643)
> at org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:551)
> at org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:193)
> Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.8.9 found
> at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 38 more
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)