[jira] [Commented] (ZOOKEEPER-2949) SSL ServerName not set when using hostname, some proxies may failed to proxy the request.

Wed, 29 Nov 2017 08:47:22 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16271069#comment-16271069
 ] 

ASF GitHub Bot commented on ZOOKEEPER-2949:
-------------------------------------------

Github user mfenes commented on the issue:

    https://github.com/apache/zookeeper/pull/423
  
    Could you please provide a description of your change


> SSL ServerName not set when using hostname, some proxies may failed to proxy 
> the request.
> -----------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2949
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2949
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client
>    Affects Versions: 3.5.3
>         Environment: In our environment, the zk clusters are all behind a 
> proxy, the proxy decide to transfer the request from client based on the 
> "ServerName" field in SSL Hello packet(the proxy served on SSL only). but the 
> Hello packets that zk client sended do proxy do not contain the "ServerName" 
> field in it. after inspect the codes, we have found that it is because that 
> zk client did not specify the peerHost when initializing the SSLContext.
>            Reporter: Feng Shaobao
>             Fix For: 3.6.0
>
>   Original Estimate: 12h
>  Remaining Estimate: 12h
>
> In our environment, the zk clusters are all behind a proxy, the proxy decide 
> to transfer the request from client based on the "ServerName" field in SSL 
> Hello packet(the proxy served on SSL only). but the Hello packets that zk 
> client sended do proxy do not contain the "ServerName" field in it. after 
> inspect the codes, we have found that it is because that zk client did not 
> specify the peerHost when initializing the SSLContext.
> In the method initSSL of class ZKClientPipelineFactory, it initialize the 
> SSLEngine like below:
> sslEngine = sslContext.createSSLEngine();
> Actually the sslContext provide another factory method that receives the 
> hostName and port parameter.
> public final SSLEngine createSSLEngine(String hostName, int port)
> If we call this method to create the SSLEngine, then the proxy will know 
> which zk cluster it really want to access.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to