Always use SNI for TLS enabled Pulsar Java broker client. #8117
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/pulsarbot run-failure-checks |
3 similar comments
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
racorn
force-pushed
the
enable-sni-java-client
branch
from
c329518
to
ed4acbb
Compare
|
/pulsarbot run-failure-checks |
5 similar comments
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
|
@rdhabalia Thanks. Finally got all checks to pass. |
racorn
pushed a commit
to racorn/pulsar
that referenced
this pull request
Oct 1, 2020
sijie
pushed a commit
that referenced
this pull request
Oct 2, 2020
### Motivation Improve previous PR #8117 (Always use SNI for TLS enabled Java client) ### Modifications - Use `ChannelFutures.toCompletableFuture` instead of private static utility method. - When TLS is not enabled, use 'original' code that invokes `Bootstrap.connect(InetSocketAddress)`; it is only when TLS is enabled we need custom setup code to properly set SNI headers. - Add documentation and argument checks to `PulsarChannelInitializer.initTls`
lbenc135
pushed a commit
to lbenc135/pulsar
that referenced
this pull request
Oct 3, 2020
Co-authored-by: Rolf Arne Corneliussen <rolf.arne.corneliussen@addsecure.com>
lbenc135
pushed a commit
to lbenc135/pulsar
that referenced
this pull request
Oct 3, 2020
### Motivation Improve previous PR apache#8117 (Always use SNI for TLS enabled Java client) ### Modifications - Use `ChannelFutures.toCompletableFuture` instead of private static utility method. - When TLS is not enabled, use 'original' code that invokes `Bootstrap.connect(InetSocketAddress)`; it is only when TLS is enabled we need custom setup code to properly set SNI headers. - Add documentation and argument checks to `PulsarChannelInitializer.initTls`
|
Move this change to 2.6.2, because the #8177 depends on this pr. |
wolfstudy
pushed a commit
that referenced
this pull request
Oct 30, 2020
Co-authored-by: Rolf Arne Corneliussen <rolf.arne.corneliussen@addsecure.com> (cherry picked from commit f2933f7)
wolfstudy
pushed a commit
that referenced
this pull request
Oct 30, 2020
### Motivation Improve previous PR #8117 (Always use SNI for TLS enabled Java client) ### Modifications - Use `ChannelFutures.toCompletableFuture` instead of private static utility method. - When TLS is not enabled, use 'original' code that invokes `Bootstrap.connect(InetSocketAddress)`; it is only when TLS is enabled we need custom setup code to properly set SNI headers. - Add documentation and argument checks to `PulsarChannelInitializer.initTls` (cherry picked from commit 1af5c8e)
huangdx0726
pushed a commit
to huangdx0726/pulsar
that referenced
this pull request
Nov 13, 2020
Co-authored-by: Rolf Arne Corneliussen <rolf.arne.corneliussen@addsecure.com>
huangdx0726
pushed a commit
to huangdx0726/pulsar
that referenced
this pull request
Nov 13, 2020
### Motivation Improve previous PR apache#8117 (Always use SNI for TLS enabled Java client) ### Modifications - Use `ChannelFutures.toCompletableFuture` instead of private static utility method. - When TLS is not enabled, use 'original' code that invokes `Bootstrap.connect(InetSocketAddress)`; it is only when TLS is enabled we need custom setup code to properly set SNI headers. - Add documentation and argument checks to `PulsarChannelInitializer.initTls`
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
The Java Pulsar client does not currently set the SNI header when it creates TLS connections using the binary protocol to brokers (except when using proxyUrl with SNI routing).
If the client always set the SNI header, it can enable ingress routing using reverse proxies like HAProxy, possibly in combination with external advertised addresses (PIP-61).
Modifications
The main modification is to always create
SslEngines with advisory peer information (peer host and port).org.apache.pulsar.client.impl.PulsarChannelInitializermodified to set up the SslHandler after the Netty channel is registered. A new methodCompletableFuture<Channel> initTls(Channel ch, InetSocketAddress sniHost)was added to explicitly specify the remote peer.org.apache.pulsar.client.impl.ConnectionPoolmodified to always invokePulsarChannelInitializer.initTlswith a remote peer if TLS is enabled.Added method
public SSLEngine createSSLEngine(String peerHost, int peerPort)toorg.apache.pulsar.common.util.keystoretls.KeyStoreSSLContextso SNI header can be set irrespective of using OpenSSL or internal Java TLS.Verifying this change
org.apache.pulsar.client.api.TlsSniTestto verity that using an IP-address in the brokerServiceUrl does not cause problems.