You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/09/23 18:54:01 UTC
[GitHub] [pulsar] racorn opened a new pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
racorn opened a new pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117
### Motivation
The Java Pulsar client does not currently set the SNI header when it creates TLS connections using the binary protocol to brokers (except when using proxyUrl with SNI routing).
If the client always set the SNI header, it can enable ingress routing using reverse proxies like HAProxy, possibly in combination with external advertised addresses.
### Modifications
- `org.apache.pulsar.client.impl.PulsarChannelInitializer` modified to set up the SslHandler after the Netty channel is registered. A new method `CompletableFuture<Channel> initTls(Channel ch, InetSocketAddress sniHost)` was added to explicitly specify the remote peer.
- `org.apache.pulsar.client.impl.ConnectionPool` modified to always invoke `PulsarChannelInitializer.initTls` with a peer host if TLS is enabled.
- Added method `public SSLEngine createSSLEngine(String peerHost, int peerPort)` to `org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext` so SNI header is irrespective of using OpenSSL or internal Java TLS.
### Verifying this change
- Added `org.apache.pulsar.client.api.TlsSniTest` to verity that using an IP-address in the brokerServiceUrl does not cause problems.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698190449
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] rdhabalia merged pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
rdhabalia merged pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698454633
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] rdhabalia merged pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
rdhabalia merged pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] wolfstudy commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
wolfstudy commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-717693664
Move this change to 2.6.2, because the #8177 depends on this pr.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] rdhabalia commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
rdhabalia commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-697942240
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698190449
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698350699
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698371905
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698324726
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698243893
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-697980451
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698294275
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698437005
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] racorn commented on pull request #8117: Always use SNI for TLS enabled Pulsar Java broker client.
Posted by GitBox <gi...@apache.org>.
racorn commented on pull request #8117:
URL: https://github.com/apache/pulsar/pull/8117#issuecomment-698481925
@rdhabalia Thanks. Finally got all checks to pass.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org