Pavel Tupitsyn created IGNITE-24906:
---------------------------------------
Summary: .NET: Client Node Discovery fails with HTTPS enabled
Key: IGNITE-24906
URL: https://issues.apache.org/jira/browse/IGNITE-24906
Project: Ignite
Issue Type: Bug
Components: platforms, thin client
Affects Versions: 2.17, 2.16, 2.15
Reporter: Pavel Tupitsyn
Assignee: Pavel Tupitsyn
Fix For: 2.18
Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
certificate validation issues.
Steps to Reproduce:
* Set up a cluster where each node has HTTPS enabled and a trusted certificate
with both the hostname and DNS alias in the SAN list.
* Connect to the cluster using the .NET Thin Client.
* Enable Automatic Server Node Discovery
(IgniteClientConfiguration.EnableClusterDiscovery).
Observe that the discovery process fails with a RemoteCertificateNameMismatch
error.
Observed Behavior:
The error occurs because discovery requests target IP addresses instead of
hostnames.
Since the IP addresses are not included in the certificate's SAN list,
certificate validation fails.
The error is logged in the background, but the client is still able to connect.
Expected Behavior:
Automatic Server Node Discovery should not fail when each host has a valid,
trusted certificate.
Discovery requests should use hostnames instead of IP addresses for HTTPS
connections.
Additional Information:
Related log output:
{code}
[11:16:49] [Error] [ClientFailoverSocket] Failed to update topology information
(exception: System.Security.Authentication.AuthenticationException: The remote
certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
sslAuthenticationOptions)
at
System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
isAsync, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
sslClientAuthenticationOptions)
at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
targetHost)
at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
socket, IgniteClientConfiguration cfg, String host)
at
Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
Action`1 topVerCallback, Marshaller marshaller)
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
node)
at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
_))
{code}
Potential cause: ClientFailoverSocket in the .NET client uses IP endpoints
instead of hostnames.
Reference:
[ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
