[
https://issues.apache.org/jira/browse/IGNITE-24906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pavel Tupitsyn updated IGNITE-24906:
------------------------------------
Description:
Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
certificate validation issues.
*Steps to Reproduce:*
* Set up a cluster where each node has HTTPS enabled and a trusted certificate
with both the hostname and DNS alias in the SAN list.
* Connect to the cluster using the .NET Thin Client.
* Enable Automatic Server Node Discovery
(IgniteClientConfiguration.EnableClusterDiscovery).
* Observe that the discovery process fails with a
*RemoteCertificateNameMismatch* error.
*Observed Behavior:*
* The error occurs because discovery requests target IP addresses instead of
hostnames.
* Since the IP addresses are not included in the certificate's SAN list,
certificate validation fails.
* The error is logged in the background, but the client is still able to
connect.
*Expected Behavior:*
* Automatic Server Node Discovery should not fail when each host has a valid,
trusted certificate.
* Discovery requests should use hostnames instead of IP addresses for HTTPS
connections.
*Log output:*
{code}
[11:16:49] [Error] [ClientFailoverSocket] Failed to update topology information
(exception: System.Security.Authentication.AuthenticationException: The remote
certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
sslAuthenticationOptions)
at
System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
isAsync, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
sslClientAuthenticationOptions)
at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
targetHost)
at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
socket, IgniteClientConfiguration cfg, String host)
at
Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
Action`1 topVerCallback, Marshaller marshaller)
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
node)
at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
_))
{code}
Potential cause: *ClientFailoverSocket* in the .NET client uses IP endpoints
instead of hostnames.
Reference:
[ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
was:
Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
certificate validation issues.
*Steps to Reproduce:*
* Set up a cluster where each node has HTTPS enabled and a trusted certificate
with both the hostname and DNS alias in the SAN list.
* Connect to the cluster using the .NET Thin Client.
* Enable Automatic Server Node Discovery
(IgniteClientConfiguration.EnableClusterDiscovery).
* Observe that the discovery process fails with a
*RemoteCertificateNameMismatch* error.
*Observed Behavior:*
* The error occurs because discovery requests target IP addresses instead of
hostnames.
* Since the IP addresses are not included in the certificate's SAN list,
certificate validation fails.
* The error is logged in the background, but the client is still able to
connect.
*Expected Behavior:*
* Automatic Server Node Discovery should not fail when each host has a valid,
trusted certificate.
* Discovery requests should use hostnames instead of IP addresses for HTTPS
connections.
*Related log output: *
{code}
[11:16:49] [Error] [ClientFailoverSocket] Failed to update topology information
(exception: System.Security.Authentication.AuthenticationException: The remote
certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
sslAuthenticationOptions)
at
System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
isAsync, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
sslClientAuthenticationOptions)
at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
targetHost)
at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
socket, IgniteClientConfiguration cfg, String host)
at
Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
Action`1 topVerCallback, Marshaller marshaller)
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
node)
at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
_))
{code}
Potential cause: *ClientFailoverSocket* in the .NET client uses IP endpoints
instead of hostnames.
Reference:
[ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
> .NET: Client Node Discovery fails with HTTPS enabled
> ----------------------------------------------------
>
> Key: IGNITE-24906
> URL: https://issues.apache.org/jira/browse/IGNITE-24906
> Project: Ignite
> Issue Type: Bug
> Components: platforms, thin client
> Affects Versions: 2.15, 2.16, 2.17
> Reporter: Pavel Tupitsyn
> Assignee: Pavel Tupitsyn
> Priority: Major
> Labels: .NET
> Fix For: 2.18
>
>
> Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
> certificate validation issues.
> *Steps to Reproduce:*
> * Set up a cluster where each node has HTTPS enabled and a trusted
> certificate with both the hostname and DNS alias in the SAN list.
> * Connect to the cluster using the .NET Thin Client.
> * Enable Automatic Server Node Discovery
> (IgniteClientConfiguration.EnableClusterDiscovery).
> * Observe that the discovery process fails with a
> *RemoteCertificateNameMismatch* error.
> *Observed Behavior:*
> * The error occurs because discovery requests target IP addresses instead of
> hostnames.
> * Since the IP addresses are not included in the certificate's SAN list,
> certificate validation fails.
> * The error is logged in the background, but the client is still able to
> connect.
> *Expected Behavior:*
> * Automatic Server Node Discovery should not fail when each host has a valid,
> trusted certificate.
> * Discovery requests should use hostnames instead of IP addresses for HTTPS
> connections.
> *Log output:*
> {code}
> [11:16:49] [Error] [ClientFailoverSocket] Failed to update topology
> information (exception:
> System.Security.Authentication.AuthenticationException: The remote
> certificate was rejected by the provided RemoteCertificateValidationCallback.
> at
> System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
> sslAuthenticationOptions)
> at
> System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
> receiveFirst, Byte[] reAuthenticationData, CancellationToken
> cancellationToken)
> at
> System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
> isAsync, CancellationToken cancellationToken)
> at
> System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
> sslClientAuthenticationOptions)
> at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
> targetHost)
> at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
> socket, IgniteClientConfiguration cfg, String host)
> at
> Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
> clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
> Action`1 topVerCallback, Marshaller marshaller)
> at
> Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
> node)
> at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
> at
> Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
> _))
> {code}
> Potential cause: *ClientFailoverSocket* in the .NET client uses IP endpoints
> instead of hostnames.
> Reference:
> [ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
