Wei-Chiu Chuang created HDDS-9878:
-------------------------------------
Summary: Disabe Server Name Indication (SNI) for Jetty
Key: HDDS-9878
URL: https://issues.apache.org/jira/browse/HDDS-9878
Project: Apache Ozone
Issue Type: Bug
Reporter: Wei-Chiu Chuang
In a cluster I noticed error messages that indicates a potential issue related
to SNI, similar to what's described in HADOOP-16718.
Server Name Indication (SNI) was added as an extension to the TLS protocol that
lets clients request a public certificate for a specific host name is returned.
This feature was added primarily for virtual hosting scenarios where a client
may connect to the same IP to connect to one of many virtual hosted servers.
Currently, our servers have no use for this feature as we do not support such a
virtual hosting scenario.
If the server's JKS file has a private/public key/cert pairing that is valid
but it also has another *trustedCertEntry* certificate that has the hostname in
subjectAltName extension, the trusted cert gets picked.
It sounds like we can port the fix in HADOOP-16718 into Ozone.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
