Client terminating when trying to connect to an SSL configured locator

[Mario Salazar de Torres <ma...@est.tech>]

Hi everyone,

During some tests, we've noted that if a client tries to connect to an SSL configured locator, and the client does not have SSL configured, it terminates due to an unhandled exception.
You can check the behaviour here for geode-native: https://github.com/apache/geode-native/blob/develop/cppcache/src/ThinClientLocatorHelper.cpp#L147
And here for the Java client: https://github.com/apache/geode/blob/develop/geode-tcp-server/src/main/java/org/apache/geode/distributed/internal/tcpserver/TcpClient.java#L278

And here is the question. Do you know if there is any reason behind it?
Also, do you happen to know if there is any upgrade case in which SSL is enabled on the newer version? Because I am guessing this kind of upgrade might be problematic, right?

Thanks!
Mario

Re: Client terminating when trying to connect to an SSL configured locator

[Mario Salazar de Torres <ma...@est.tech>]

Hi Dan,

It's clear that supporting this case is tricky, both technically and in terms of security. However, luckily that's not the goal here.
Thing is what we've observed is during some scenario (probably while using a proxy, like envoy), the client receives a response from locators which is not expecting.
In the case of Java, the answer to VersionRequest is not a VersionResponse, which in the end seems to terminate the calling thread (quite concerning as the client could continue while several background tasks are stopped).
In the case of geode-native if the first byte from the locator response is 21, then it considers that the locator has SSL enabled and if the client has not SSL configured then it exits.

Thing is we are considering in changing this behavior, as at least for Java client, as just terminating the thread is quite concerning. So, do you happen to know why this logic was implemented?
I think it's quite important to have that kind of insight before considering a change.

Thanks!
Mario.
________________________________
From: Dan Smith <da...@vmware.com>
Sent: Wednesday, December 1, 2021 11:28 PM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: Re: Client terminating when trying to connect to an SSL configured locator

I guess the alternative would be for the client to automatically switch to SSL if it detected the server was using SSL? It is not currently doing that, as you discovered.

That might be a nice feature to have to support upgrading to SSL. At some point, it is important for users that want SSL to configure their client to only​ use SSL, to prevent downgrade attacks.

I think we would consider a geode change that turns on SSL by default to be a breaking change. I can image some users might want to upgrade to using SSL in their existing cluster. For clients, I think that could be accomplished by running both a SSL and non-SSL enabled locator, for example. I'm not sure if it's possible to switch the P2Pmessaging to use SSL with a rollng upgrade right now though.

-Dan
________________________________
From: Mario Salazar de Torres <ma...@est.tech>
Sent: Tuesday, November 30, 2021 10:37 AM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: Client terminating when trying to connect to an SSL configured locator

Hi everyone,

During some tests, we've noted that if a client tries to connect to an SSL configured locator, and the client does not have SSL configured, it terminates due to an unhandled exception.
You can check the behaviour here for geode-native: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode-native%2Fblob%2Fdevelop%2Fcppcache%2Fsrc%2FThinClientLocatorHelper.cpp%23L147&amp;data=04%7C01%7Cdasmith%40vmware.com%7Cb2e7a8ffc506463d51e008d9b4306e5d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637738942373842079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=q%2F18j0f3GtCXUS5jtI8fZbdjUFn7ouRwRd%2BnAKFA9QY%3D&amp;reserved=0
And here for the Java client: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode%2Fblob%2Fdevelop%2Fgeode-tcp-server%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fgeode%2Fdistributed%2Finternal%2Ftcpserver%2FTcpClient.java%23L278&amp;data=04%7C01%7Cdasmith%40vmware.com%7Cb2e7a8ffc506463d51e008d9b4306e5d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637738942373852076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ZkixzNe4sGUzIQOz%2FNc1gdYBI%2B6F%2FFeG2HsPf3ZaYVU%3D&amp;reserved=0

And here is the question. Do you know if there is any reason behind it?
Also, do you happen to know if there is any upgrade case in which SSL is enabled on the newer version? Because I am guessing this kind of upgrade might be problematic, right?

Thanks!
Mario

Re: Client terminating when trying to connect to an SSL configured locator

[Dan Smith <da...@vmware.com>]

I guess the alternative would be for the client to automatically switch to SSL if it detected the server was using SSL? It is not currently doing that, as you discovered.

That might be a nice feature to have to support upgrading to SSL. At some point, it is important for users that want SSL to configure their client to only​ use SSL, to prevent downgrade attacks.

I think we would consider a geode change that turns on SSL by default to be a breaking change. I can image some users might want to upgrade to using SSL in their existing cluster. For clients, I think that could be accomplished by running both a SSL and non-SSL enabled locator, for example. I'm not sure if it's possible to switch the P2Pmessaging to use SSL with a rollng upgrade right now though.

-Dan
________________________________
From: Mario Salazar de Torres <ma...@est.tech>
Sent: Tuesday, November 30, 2021 10:37 AM
To: dev@geode.apache.org <de...@geode.apache.org>
Subject: Client terminating when trying to connect to an SSL configured locator

Hi everyone,

During some tests, we've noted that if a client tries to connect to an SSL configured locator, and the client does not have SSL configured, it terminates due to an unhandled exception.
You can check the behaviour here for geode-native: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode-native%2Fblob%2Fdevelop%2Fcppcache%2Fsrc%2FThinClientLocatorHelper.cpp%23L147&amp;data=04%7C01%7Cdasmith%40vmware.com%7Cb2e7a8ffc506463d51e008d9b4306e5d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637738942373842079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=q%2F18j0f3GtCXUS5jtI8fZbdjUFn7ouRwRd%2BnAKFA9QY%3D&amp;reserved=0
And here for the Java client: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fgeode%2Fblob%2Fdevelop%2Fgeode-tcp-server%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fgeode%2Fdistributed%2Finternal%2Ftcpserver%2FTcpClient.java%23L278&amp;data=04%7C01%7Cdasmith%40vmware.com%7Cb2e7a8ffc506463d51e008d9b4306e5d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637738942373852076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ZkixzNe4sGUzIQOz%2FNc1gdYBI%2B6F%2FFeG2HsPf3ZaYVU%3D&amp;reserved=0

And here is the question. Do you know if there is any reason behind it?
Also, do you happen to know if there is any upgrade case in which SSL is enabled on the newer version? Because I am guessing this kind of upgrade might be problematic, right?

Thanks!
Mario