Uploaded image for project: 'Geode'
  1. Geode
  2. GEODE-9991

SSL protocol and cipher preferences are ignored when endpoint verification is enabled.

    XMLWordPrintableJSON

Details

    Description

      When SSL endpoint verification is enabled the configuration for protocols and ciphers reverts to the SSLContext's client mode defaults. This can result in difficulty upgrade the JDK when the newer JDK may use different defaults for client and server mode SSL.

      Oracle JDK 1.8.0_u261 and OpenJDK 1.8.0_u272 replaced the SSL implementation with a back port from Java 11. This changed the default server protocols from [SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2] to [TLSv1.3,TLSv1.2,SSLv2Hello] and client to [TLSv1.3,TLSv1.2]. With this bug the the server protocols get reset to the client protocols dropping support for the SSLv2Hello protocol, which is the first priority protocol by default in the old JDK.

      The result is a failure to handshake with the following exception:
      javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled

      To reproduce you need to have endpoint validation enabled on your SSL configuration. Set your protocols to `any`. Start 1st locator with JDK older than 1.8.0_u261. Start 2nd locator with JDK at least as new as JDK 1.8.0_u272.

      Attachments

        Issue Links

          There are no Sub-Tasks for this issue.

          Activity

            People

              jbarrett Jacob Barrett
              jbarrett Jacob Barrett
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: