[ https://issues.apache.org/jira/browse/GEODE-9991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518352#comment-17518352 ]
ASF subversion and git services commented on GEODE-9991: -------------------------------------------------------- Commit 75ea5f7f6f8f6cbd751463dfaab6342762858c58 in geode's branch refs/heads/develop from Jacob Barrett [ https://gitbox.apache.org/repos/asf?p=geode.git;h=75ea5f7f6f ] GEODE-9991: Refactor for consistency and add tests. (#7533) * Combine common configuration into method for consistency. * Adds tests for new extracted methods. > SSL protocol and cipher preferences are ignored when endpoint verification is > enabled. > -------------------------------------------------------------------------------------- > > Key: GEODE-9991 > URL: https://issues.apache.org/jira/browse/GEODE-9991 > Project: Geode > Issue Type: Bug > Components: core, security > Affects Versions: 1.12.8, 1.12.9, 1.13.7, 1.13.8, 1.14.3, 1.14.4, 1.15.0 > Reporter: Jacob Barrett > Assignee: Jacob Barrett > Priority: Major > Labels: blocks-1.15.0, pull-request-available, ssl > Fix For: 1.15.0 > > > When SSL endpoint verification is enabled the configuration for protocols and > ciphers reverts to the {{SSLContext}}'s client mode defaults. This can result > in difficulty upgrade the JDK when the newer JDK may use different defaults > for client and server mode SSL. > Oracle JDK 1.8.0_u261 and OpenJDK 1.8.0_u272 replaced the SSL implementation > with a back port from Java 11. This changed the default server protocols from > {{[SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2]}} to {{[TLSv1.3,TLSv1.2,SSLv2Hello]}} > and client to {{[TLSv1.3,TLSv1.2]}}. With this bug the the server protocols > get reset to the client protocols dropping support for the {{SSLv2Hello}} > protocol, which is the first priority protocol by default in the old JDK. > The result is a failure to handshake with the following exception: > {{javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled}} > To reproduce you need to have endpoint validation enabled on your SSL > configuration. Set your protocols to `any`. Start 1st locator with JDK older > than 1.8.0_u261. Start 2nd locator with JDK at least as new as JDK > 1.8.0_u272. -- This message was sent by Atlassian Jira (v8.20.1#820001)