[ https://issues.apache.org/jira/browse/IGNITE-16627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Makedonskaya updated IGNITE-16627: ---------------------------------------- Description: Motivation: There are cases then ignite clients are connecting to a cluster which is located inside Kubernetes(k8s) and k8s cluster has an ingress gateway that routes TLS traffic using SNI extension. Need to provide hostnames from org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI extention. SSLContext for java thin client is creating in org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly we can use org.apache.ignite.ssl.SSLContextWrapper there to provide additional SSLParameters(like it's done in org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI extension need to add hostnames via javax.net.ssl.SSLParameters#setServerNames. Also need to check that other thin clients and thick clients add SNI to handshake. Possibly in org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we need additionally to replace from: {code:java} engine = this.sslCtx.createSSLEngine();{code} to: {code:java} engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(), ses.remoteAddress().getPort()){code} In this case, if an IP address is set to ClientConfiguration#setAddresses then SNI extension will be added with reverse lookup hostname. If hostname with a port is set to ClientConfiguration#setAddresses no SNI extension will be added. was: Motivation: There are cases then ignite clients are connecting to a cluster which is located inside Kubernetes(k8s) and k8s cluster has an ingress gateway that routes TLS traffic using SNI extension. Need to provide hostnames from org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI extention. SSLContext for java thin client is creating in org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly we can use org.apache.ignite.ssl.SSLContextWrapper there to provide additional SSLParameters(like it's done in org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI extension need to add hostnames via javax.net.ssl.SSLParameters#setServerNames. Also need to check that other thin clients and thick clients add SNI to handshake. Possibly in org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we need additionally to replace from: {code:java} engine = this.sslCtx.createSSLEngine();{code} to: {code:java} engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(), ses.remoteAddress().getPort()){code} In this case, if you provide an IP address to ClientConfiguration#setAddresses then SNI extension will be added with reverse lookup hostname. If you provide hostname with port to ClientConfiguration#setAddresses no SNI extension will be added. > SNI extension is missing when Java thin client is connecting to Ignite > cluster with SSL enabled > ----------------------------------------------------------------------------------------------- > > Key: IGNITE-16627 > URL: https://issues.apache.org/jira/browse/IGNITE-16627 > Project: Ignite > Issue Type: Bug > Components: thin client > Affects Versions: 2.11 > Reporter: Maria Makedonskaya > Priority: Major > > Motivation: There are cases then ignite clients are connecting to a cluster > which is located inside Kubernetes(k8s) and k8s cluster has an ingress > gateway that routes TLS traffic using SNI extension. > Need to provide hostnames from > org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI > extention. > SSLContext for java thin client is creating in > org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly > we can use org.apache.ignite.ssl.SSLContextWrapper there to provide > additional SSLParameters(like it's done in > org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI > extension need to add hostnames via > javax.net.ssl.SSLParameters#setServerNames. > Also need to check that other thin clients and thick clients add SNI to > handshake. > Possibly in > org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we > need additionally to replace > from: > {code:java} > engine = this.sslCtx.createSSLEngine();{code} > to: > {code:java} > engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(), > ses.remoteAddress().getPort()){code} > In this case, if an IP address is set to ClientConfiguration#setAddresses > then SNI extension will be added with reverse lookup hostname. If hostname > with a port is set to ClientConfiguration#setAddresses no SNI extension will > be added. -- This message was sent by Atlassian Jira (v8.20.1#820001)