You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Jens Deppe (JIRA)" <ji...@apache.org> on 2016/02/08 17:58:40 UTC
[jira] [Updated] (GEODE-396) One way SSL authentication between
client and server fails
[ https://issues.apache.org/jira/browse/GEODE-396?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jens Deppe updated GEODE-396:
-----------------------------
Description:
If the {{server-ssl-require-authentication}} property is configured like below so that clients aren't required to be SSL-authenticated by the server:
On client: {{server-ssl-require-authentication=true}}
On server: {{server-ssl-require-authentication=false}}
Then, this exception occurs on the server:
{noformat}
[severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating peer /192.168.2.12[63,528].
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
at java.lang.Thread.run(Thread.java:745)
{noformat}
This happens because the {{AcceptorImpl accept}} method uses the default {{SocketCreator}}, not a {{SocketCreator}} configured with the {{server-ssl-*}} properties. The default {{SocketCreator}} is configured using the {{cluster-ssl-*}} properties not the {{server-ssl-*}} properties.
The attached test reproduces this issue, and the attached patch is a potential fix for it.
Also, if {{server-ssl-enabled=true}}, the {{AcceptorImpl}} constructor logs the message below. It should not be doing this since the value of javax.net.ssl properties can contain sensitive data.
{noformat}
[info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer with SSL config : Authentication Required true Ciphers any Protocols any Other Properties -- listing properties --
javax.net.ssl.keyStoreType=jks
javax.net.ssl.trustStorePassword=password
javax.net.ssl.keyStorePassword=password
javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
{noformat}
was:
If the {{{server-ssl-require-authentication}}} property is configured like below so that clients aren't required to be SSL-authenticated by the server:
On client: {{{server-ssl-require-authentication=true}}}
On server: {{{server-ssl-require-authentication=false}}}
Then, this exception occurs on the server:
{{{
[severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating peer /192.168.2.12[63,528].
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
at java.lang.Thread.run(Thread.java:745)
}}}
This happens because the {{{AcceptorImpl accept}}} method uses the default {{{SocketCreator}}}, not a {{{SocketCreator}}} configured with the {{{server-ssl-*}}} properties. The default {{{SocketCreator}}} is configured using the {{{cluster-ssl-*}}} properties not the {{{server-ssl-*}}} properties.
The attached test reproduces this issue, and the attached patch is a potential fix for it.
Also, if {{{server-ssl-enabled=true}}}, the {{{AcceptorImpl}}} constructor logs the message below. It should not be doing this since the value of jaax.net.ssl properties can contain sensitive data.
{{{
[info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer with SSL config : Authentication Required true Ciphers any Protocols any Other Properties -- listing properties --
javax.net.ssl.keyStoreType=jks
javax.net.ssl.trustStorePassword=password
javax.net.ssl.keyStorePassword=password
javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
}}}
> One way SSL authentication between client and server fails
> ----------------------------------------------------------
>
> Key: GEODE-396
> URL: https://issues.apache.org/jira/browse/GEODE-396
> Project: Geode
> Issue Type: Bug
> Components: core
> Reporter: Darrel Schneider
> Assignee: Darrel Schneider
> Fix For: 1.0.0-incubating.M1
>
>
> If the {{server-ssl-require-authentication}} property is configured like below so that clients aren't required to be SSL-authenticated by the server:
> On client: {{server-ssl-require-authentication=true}}
> On server: {{server-ssl-require-authentication=false}}
> Then, this exception occurs on the server:
> {noformat}
> [severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating peer /192.168.2.12[63,528].
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
> at com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
> at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
> at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> This happens because the {{AcceptorImpl accept}} method uses the default {{SocketCreator}}, not a {{SocketCreator}} configured with the {{server-ssl-*}} properties. The default {{SocketCreator}} is configured using the {{cluster-ssl-*}} properties not the {{server-ssl-*}} properties.
> The attached test reproduces this issue, and the attached patch is a potential fix for it.
> Also, if {{server-ssl-enabled=true}}, the {{AcceptorImpl}} constructor logs the message below. It should not be doing this since the value of javax.net.ssl properties can contain sensitive data.
> {noformat}
> [info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer with SSL config : Authentication Required true Ciphers any Protocols any Other Properties -- listing properties --
> javax.net.ssl.keyStoreType=jks
> javax.net.ssl.trustStorePassword=password
> javax.net.ssl.keyStorePassword=password
> javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
> javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)