[
https://issues.apache.org/jira/browse/GEODE-6740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16834011#comment-16834011
]
Dan Smith commented on GEODE-6740:
----------------------------------
Ken and I looked a little bit into where the IP address is coming from in this
case, even though all of the config properties have hostnames.
The socket we are trying to create is to an address that we got from an
InternalDistributedMember from our membership layer. I'm pretty sure these are
always going to be ip addresses with the way the membership layer works right
now - when we serialize an InternalDistributedMember it looks like we only send
the IP address (InternalDistributedMember.toData calls
DataSerializer.writeInetAddress, which writes the IP). So we may have to do a
reverse DNS lookup somewhere.
> TLS endpoint identification fails using hostnames
> -------------------------------------------------
>
> Key: GEODE-6740
> URL: https://issues.apache.org/jira/browse/GEODE-6740
> Project: Geode
> Issue Type: Bug
> Components: core
> Affects Versions: 1.8.0
> Reporter: Kenneth Howe
> Priority: Major
> Labels: security
>
> Tried to start a cluster with the following Geode security properties.
> {code}
> ssl-enabled-components=cluster,web,jmx,locator,server
> ssl-endpoint-identification-enabled=true
> {code}
> The certificate has the valid hostname wildcard as the SAN list.
> All the Geode config files and parameters use this hostname.
> {code}
> -Dgemfire.locators=3177423e-d7dd-4b27-932d-d33b4bdf5783.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh[55221],983d2e55-988e-437d-8b10-8b3dffc8cc82.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh[55221],8c222f26-22da-4e42-8d1e-e13a86808600.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh[55221]
> {code}
> {code}
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 21:fc:3f:07:bc:47:5b:46:e3:07:da:c3:39:27:45:c4:83:67:39:4d
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: CN=gemfire-ssl
> Validity
> Not Before: May 2 21:43:51 2019 GMT
> Not After : May 1 21:43:51 2020 GMT
> Subject: CN=gemfire-locator-ssl
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> B8:84:1E:B6:74:C3:B4:BC:61:88:93:52:27:71:E2:92:EA:72:85:C4
> X509v3 Subject Alternative Name:
>
> DNS:*.locator.jackson-services-subnet.service-instance-ec7f6a7b-eb04-45e7-9f1f-eaff60a5be25.bosh
> X509v3 Authority Key Identifier:
>
> keyid:41:33:74:8E:ED:6D:94:2E:B1:9C:01:68:9B:6F:3C:B7:AF:5A:ED:6C
> X509v3 Basic Constraints: critical
> CA:FALSE
> {code}
> This resulted in the error starting up the locators
> {code}
> [severe 2019/05/02 19:45:54.422 UTC
> locator-707059cc-9aad-47a9-8fa9-b045a14d5b80 <main> tid=0x1] SSL Error in
> connecting to peer /10.0.8.9[55222].
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
> No subject alternative names matching IP address 10.0.8.9 found
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> at
> org.apache.geode.internal.net.SocketCreator.configureClientSSLSocket(SocketCreator.java:1069)
> at
> org.apache.geode.internal.net.SocketCreator.connect(SocketCreator.java:932)
> at
> org.apache.geode.internal.net.SocketCreator.connect(SocketCreator.java:894)
> at
> org.apache.geode.internal.net.SocketCreator.connectForServer(SocketCreator.java:873)
> at org.apache.geode.internal.tcp.Connection.<init>(Connection.java:1264)
> at
> org.apache.geode.internal.tcp.Connection.createSender(Connection.java:1066)
> at
> org.apache.geode.internal.tcp.ConnectionTable.handleNewPendingConnection(ConnectionTable.java:305)
> at
> org.apache.geode.internal.tcp.ConnectionTable.getSharedConnection(ConnectionTable.java:413)
> at
> org.apache.geode.internal.tcp.ConnectionTable.get(ConnectionTable.java:598)
> at
> org.apache.geode.internal.tcp.TCPConduit.getConnection(TCPConduit.java:947)
> at
> org.apache.geode.distributed.internal.direct.DirectChannel.getConnections(DirectChannel.java:557)
> at
> org.apache.geode.distributed.internal.direct.DirectChannel.sendToMany(DirectChannel.java:336)
> at
> org.apache.geode.distributed.internal.direct.DirectChannel.sendToOne(DirectChannel.java:251)
> at
> org.apache.geode.distributed.internal.direct.DirectChannel.send(DirectChannel.java:616)
> at
> org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.directChannelSend(GMSMembershipManager.java:1686)
> at
> org.apache.geode.distributed.internal.membership.gms.mgr.GMSMembershipManager.send(GMSMembershipManager.java:1864)
> at
> org.apache.geode.distributed.internal.ClusterDistributionManager.sendViaMembershipManager(ClusterDistributionManager.java:2865)
> at
> org.apache.geode.distributed.internal.ClusterDistributionManager.sendOutgoing(ClusterDistributionManager.java:2785)
> at
> org.apache.geode.distributed.internal.StartupOperation.sendStartupMessage(StartupOperation.java:75)
> at
> org.apache.geode.distributed.internal.ClusterDistributionManager.sendStartupMessage(ClusterDistributionManager.java:2248)
> at
> org.apache.geode.distributed.internal.ClusterDistributionManager.create(ClusterDistributionManager.java:567)
> at
> org.apache.geode.distributed.internal.InternalDistributedSystem.initialize(InternalDistributedSystem.java:769)
> at
> org.apache.geode.distributed.internal.InternalDistributedSystem.newInstance(InternalDistributedSystem.java:362)
> at
> org.apache.geode.distributed.internal.InternalDistributedSystem.newInstance(InternalDistributedSystem.java:348)
> at
> org.apache.geode.distributed.internal.InternalDistributedSystem.newInstance(InternalDistributedSystem.java:342)
> at
> org.apache.geode.distributed.DistributedSystem.connect(DistributedSystem.java:215)
> at
> org.apache.geode.distributed.internal.InternalLocator.startDistributedSystem(InternalLocator.java:630)
> at
> org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:309)
> at
> org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:643)
> at
> org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:551)
> at
> org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:193)
> Caused by: java.security.cert.CertificateException: No subject alternative
> names matching IP address 10.0.8.9 found
> at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 38 more
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
