You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Anthony Baker (JIRA)" <ji...@apache.org> on 2016/01/08 05:40:48 UTC

[jira] [Updated] (GEODE-396) One way SSL authentication between client and server fails

     [ https://issues.apache.org/jira/browse/GEODE-396?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anthony Baker updated GEODE-396:
--------------------------------
    Fix Version/s: 1.0.0-alpha1

> One way SSL authentication between client and server fails
> ----------------------------------------------------------
>
>                 Key: GEODE-396
>                 URL: https://issues.apache.org/jira/browse/GEODE-396
>             Project: Geode
>          Issue Type: Bug
>          Components: core
>            Reporter: Darrel Schneider
>            Assignee: Darrel Schneider
>             Fix For: 1.0.0-alpha1
>
>
> If the {{{server-ssl-require-authentication}}} property is configured like below so that clients aren't required to be SSL-authenticated by the server:
> On client: {{{server-ssl-require-authentication=true}}}
> On server: {{{server-ssl-require-authentication=false}}}
> Then, this exception occurs on the server:
> {{{
> [severe 2015/10/05 13:31:23.465 PDT server1 <Cache Server Acceptor 0.0.0.0/0.0.0.0:63520 local port: 63520> tid=0x40] SSL Error in authenticating peer /192.168.2.12[63,528].
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> 	at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
> 	at com.gemstone.gemfire.internal.SocketCreator.configureServerSSLSocket(SocketCreator.java:1080)
> 	at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.accept(AcceptorImpl.java:1327)
> 	at com.gemstone.gemfire.internal.cache.tier.sockets.AcceptorImpl.run(AcceptorImpl.java:1227)
> 	at java.lang.Thread.run(Thread.java:745)
> }}}
> This happens because the {{{AcceptorImpl accept}}} method uses the default {{{SocketCreator}}}, not a {{{SocketCreator}}} configured with the {{{server-ssl-*}}} properties. The default {{{SocketCreator}}} is configured using the {{{cluster-ssl-*}}} properties not the {{{server-ssl-*}}} properties.
> The attached test reproduces this issue, and the attached patch is a potential fix for it.
> Also, if {{{server-ssl-enabled=true}}}, the {{{AcceptorImpl}}} constructor logs the message below. It should not be doing this since the value of jaax.net.ssl properties can contain sensitive data.
> {{{
> [info 2015/10/05 11:53:16.930 PDT server1 <main> tid=0x1] Starting CacheServer with SSL config : Authentication Required true Ciphers any Protocols any Other Properties -- listing properties --
>   javax.net.ssl.keyStoreType=jks
>   javax.net.ssl.trustStorePassword=password
>   javax.net.ssl.keyStorePassword=password
>   javax.net.ssl.keyStore=/Users/boglesby/Dev/Tests/authenticat...
>   javax.net.ssl.trustStore=/Users/boglesby/Dev/Tests/authenticat...
> }}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)