[jira] [Commented] (GEODE-9139) SSLException in starting up a Locator

Wed, 13 Oct 2021 10:29:30 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-9139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428371#comment-17428371
 ] 

ASF subversion and git services commented on GEODE-9139:
--------------------------------------------------------

Commit b39958fafa8690bb978710018a6ecf2bc56244f3 in geode's branch 
refs/heads/develop from Aaron Lindsey
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=b39958f ]

GEODE-9666: Avoid caching InetSocketAddress (#6938)

The changes for GEODE-9139 changed the behavior of
org.apache.geode.distributed.internal.tcpserver.HostAndPort to
permanently cache the internal InetSocketAddress once it has tried one
time to resolve the address. This undoes part of the fix introduced by
GEODE-7808, in which HostAndPort was created as a way to hold an
unresolved hostname.

The issue is that the cached InetSocketAddress may contain a stale or
unresolved address which will be returned by getSocketInetAddress for
the lifetime of the HostAndPort/InetSocketWrapper object. This prevents
the address from being resolved correctly after changes in DNS records.
(Such changes are common in cloud environments.)

This commit removes the cached internal InetSocketAddress from
InetSocketWrapper so that getSocketInetAddress will try to resolve the
address each time it is called with an unresolved address.

> SSLException in starting up a Locator
> -------------------------------------
>
>                 Key: GEODE-9139
>                 URL: https://issues.apache.org/jira/browse/GEODE-9139
>             Project: Geode
>          Issue Type: Bug
>          Components: membership, messaging
>            Reporter: Bruce J Schuchardt
>            Assignee: Kamilla Aslami
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.15.0
>
>
> If you start up a locator using its host name, without a domain name, as a 
> bind address you may get an SSLException in the form
> {noformat}
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
> No subject alternative DNS name matching hostname.domainname found
> {noformat}
> The LocatorLauncher and InternalLocator throw away the bind address string 
> and later do a reverse lookup to find the fully qualified hostname to use in 
> endpoint identification matching.    If the locator's own TLS certificate 
> doesn't have the fully qualified name in it as a Subject Alternate Name the 
> connection that the Locator makes to its own location service will fail.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to