You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Owen Nichols (Jira)" <ji...@apache.org> on 2022/06/22 20:47:05 UTC

[jira] [Closed] (GEODE-9991) SSL protocol and cipher preferences are ignored when endpoint verification is enabled.

     [ https://issues.apache.org/jira/browse/GEODE-9991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen Nichols closed GEODE-9991.
-------------------------------

> SSL protocol and cipher preferences are ignored when endpoint verification is enabled.
> --------------------------------------------------------------------------------------
>
>                 Key: GEODE-9991
>                 URL: https://issues.apache.org/jira/browse/GEODE-9991
>             Project: Geode
>          Issue Type: Bug
>          Components: core, security
>    Affects Versions: 1.12.8, 1.12.9, 1.13.7, 1.13.8, 1.14.3, 1.14.4, 1.15.0
>            Reporter: Jacob Barrett
>            Assignee: Jacob Barrett
>            Priority: Major
>              Labels: blocks-1.15.0, pull-request-available, ssl
>             Fix For: 1.15.0
>
>
> When SSL endpoint verification is enabled the configuration for protocols and ciphers reverts to the {{SSLContext}}'s client mode defaults. This can result in difficulty upgrade the JDK when the newer JDK may use different defaults for client and server mode SSL. 
> Oracle JDK 1.8.0_u261 and OpenJDK 1.8.0_u272 replaced the SSL implementation with a back port from Java 11. This changed the default server protocols from {{[SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2]}} to {{[TLSv1.3,TLSv1.2,SSLv2Hello]}} and client to {{[TLSv1.3,TLSv1.2]}}. With this bug the the server protocols get reset to the client protocols dropping support for the {{SSLv2Hello}} protocol, which is the first priority protocol by default in the old JDK.
> The result is a failure to handshake with the following exception:
> {{javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled}}
> To reproduce you need to have endpoint validation enabled on your SSL configuration. Set your protocols to `any`. Start 1st locator with JDK older than 1.8.0_u261. Start 2nd locator with JDK at least as new as JDK 1.8.0_u272. 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)