[
https://issues.apache.org/jira/browse/IGNITE-16627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maria Makedonskaya updated IGNITE-16627:
----------------------------------------
Description:
Motivation: There are cases then ignite clients are connecting to a cluster
which is located inside Kubernetes(k8s) and k8s cluster has an ingress gateway
that routes TLS traffic using SNI extension.
Need to provide hostnames from
org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI
extention.
SSLContext for java thin client is creating in
org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly
we can use org.apache.ignite.ssl.SSLContextWrapper there to provide additional
SSLParameters(like it's done in
org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI
extension need to add hostnames via javax.net.ssl.SSLParameters#setServerNames.
Also need to check that other thin clients and thick clients add SNI to
handshake.
Possibly in
org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we
need additionally to replace
from:
{code:java}
engine = this.sslCtx.createSSLEngine();{code}
to:
{code:java}
engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(),
ses.remoteAddress().getPort()){code}
In this case, if an IP address is set to ClientConfiguration#setAddresses then
SNI extension will be added with reverse lookup hostname. If hostname with a
port is set to ClientConfiguration#setAddresses no SNI extension will be added.
was:
Motivation: There are cases then ignite clients are connecting to a cluster
which is located inside Kubernetes(k8s) and k8s cluster has an ingress gateway
that routes TLS traffic using SNI extension.
Need to provide hostnames from
org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI
extention.
SSLContext for java thin client is creating in
org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly
we can use org.apache.ignite.ssl.SSLContextWrapper there to provide additional
SSLParameters(like it's done in
org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI
extension need to add hostnames via javax.net.ssl.SSLParameters#setServerNames.
Also need to check that other thin clients and thick clients add SNI to
handshake.
Possibly in
org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we
need additionally to replace
from:
{code:java}
engine = this.sslCtx.createSSLEngine();{code}
to:
{code:java}
engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(),
ses.remoteAddress().getPort()){code}
In this case, if you provide an IP address to ClientConfiguration#setAddresses
then SNI extension will be added with reverse lookup hostname. If you provide
hostname with port to ClientConfiguration#setAddresses no SNI extension will be
added.
> SNI extension is missing when Java thin client is connecting to Ignite
> cluster with SSL enabled
> -----------------------------------------------------------------------------------------------
>
> Key: IGNITE-16627
> URL: https://issues.apache.org/jira/browse/IGNITE-16627
> Project: Ignite
> Issue Type: Bug
> Components: thin client
> Affects Versions: 2.11
> Reporter: Maria Makedonskaya
> Priority: Major
>
> Motivation: There are cases then ignite clients are connecting to a cluster
> which is located inside Kubernetes(k8s) and k8s cluster has an ingress
> gateway that routes TLS traffic using SNI extension.
> Need to provide hostnames from
> org.apache.ignite.configuration.ClientConfiguration#setAddresses to SNI
> extention.
> SSLContext for java thin client is creating in
> org.apache.ignite.internal.client.thin.ClientSslUtils#getSslContext. Possibly
> we can use org.apache.ignite.ssl.SSLContextWrapper there to provide
> additional SSLParameters(like it's done in
> org.apache.ignite.ssl.SslContextFactory#createSslContext). For adding SNI
> extension need to add hostnames via
> javax.net.ssl.SSLParameters#setServerNames.
> Also need to check that other thin clients and thick clients add SNI to
> handshake.
> Possibly in
> org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#onSessionOpened we
> need additionally to replace
> from:
> {code:java}
> engine = this.sslCtx.createSSLEngine();{code}
> to:
> {code:java}
> engine = this.sslCtx.createSSLEngine(ses.remoteAddress().getHostName(),
> ses.remoteAddress().getPort()){code}
> In this case, if an IP address is set to ClientConfiguration#setAddresses
> then SNI extension will be added with reverse lookup hostname. If hostname
> with a port is set to ClientConfiguration#setAddresses no SNI extension will
> be added.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
