[
https://issues.apache.org/jira/browse/IGNITE-24906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pavel Tupitsyn updated IGNITE-24906:
------------------------------------
Description:
Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
certificate validation issues.
*Steps to Reproduce:*
* Set up a cluster where each node has HTTPS enabled and a trusted certificate
with both the hostname and DNS alias in the SAN list.
* Connect to the cluster using the .NET Thin Client.
* Enable Automatic Server Node Discovery
(IgniteClientConfiguration.EnableClusterDiscovery).
* Observe that the discovery process fails with a
*RemoteCertificateNameMismatch* error.
*Observed Behavior:*
* The error occurs because discovery requests target IP addresses instead of
hostnames.
* Since the IP addresses are not included in the certificate's SAN list,
certificate validation fails.
* The error is logged in the background, but the client is still able to
connect.
*Expected Behavior:*
* Automatic Server Node Discovery should not fail when each host has a valid,
trusted certificate.
* Discovery requests should use hostnames instead of IP addresses for HTTPS
connections.
*Related log output: *
{code}
[11:16:49] [Error] [ClientFailoverSocket] Failed to update topology information
(exception: System.Security.Authentication.AuthenticationException: The remote
certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
sslAuthenticationOptions)
at
System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
isAsync, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
sslClientAuthenticationOptions)
at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
targetHost)
at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
socket, IgniteClientConfiguration cfg, String host)
at
Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
Action`1 topVerCallback, Marshaller marshaller)
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
node)
at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
_))
{code}
Potential cause: *ClientFailoverSocket* in the .NET client uses IP endpoints
instead of hostnames.
Reference:
[ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
was:
Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
certificate validation issues.
Steps to Reproduce:
* Set up a cluster where each node has HTTPS enabled and a trusted certificate
with both the hostname and DNS alias in the SAN list.
* Connect to the cluster using the .NET Thin Client.
* Enable Automatic Server Node Discovery
(IgniteClientConfiguration.EnableClusterDiscovery).
Observe that the discovery process fails with a RemoteCertificateNameMismatch
error.
Observed Behavior:
The error occurs because discovery requests target IP addresses instead of
hostnames.
Since the IP addresses are not included in the certificate's SAN list,
certificate validation fails.
The error is logged in the background, but the client is still able to connect.
Expected Behavior:
Automatic Server Node Discovery should not fail when each host has a valid,
trusted certificate.
Discovery requests should use hostnames instead of IP addresses for HTTPS
connections.
Additional Information:
Related log output:
{code}
[11:16:49] [Error] [ClientFailoverSocket] Failed to update topology information
(exception: System.Security.Authentication.AuthenticationException: The remote
certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
sslAuthenticationOptions)
at
System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
isAsync, CancellationToken cancellationToken)
at
System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
sslClientAuthenticationOptions)
at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
targetHost)
at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
socket, IgniteClientConfiguration cfg, String host)
at
Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
Action`1 topVerCallback, Marshaller marshaller)
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
node)
at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
at
Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
_))
{code}
Potential cause: ClientFailoverSocket in the .NET client uses IP endpoints
instead of hostnames.
Reference:
[ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
> .NET: Client Node Discovery fails with HTTPS enabled
> ----------------------------------------------------
>
> Key: IGNITE-24906
> URL: https://issues.apache.org/jira/browse/IGNITE-24906
> Project: Ignite
> Issue Type: Bug
> Components: platforms, thin client
> Affects Versions: 2.15, 2.16, 2.17
> Reporter: Pavel Tupitsyn
> Assignee: Pavel Tupitsyn
> Priority: Major
> Labels: .NET
> Fix For: 2.18
>
>
> Automatic Node Discovery fails in .NET Thin Client with HTTPS enabled due to
> certificate validation issues.
> *Steps to Reproduce:*
> * Set up a cluster where each node has HTTPS enabled and a trusted
> certificate with both the hostname and DNS alias in the SAN list.
> * Connect to the cluster using the .NET Thin Client.
> * Enable Automatic Server Node Discovery
> (IgniteClientConfiguration.EnableClusterDiscovery).
> * Observe that the discovery process fails with a
> *RemoteCertificateNameMismatch* error.
> *Observed Behavior:*
> * The error occurs because discovery requests target IP addresses instead of
> hostnames.
> * Since the IP addresses are not included in the certificate's SAN list,
> certificate validation fails.
> * The error is logged in the background, but the client is still able to
> connect.
> *Expected Behavior:*
> * Automatic Server Node Discovery should not fail when each host has a valid,
> trusted certificate.
> * Discovery requests should use hostnames instead of IP addresses for HTTPS
> connections.
> *Related log output: *
> {code}
> [11:16:49] [Error] [ClientFailoverSocket] Failed to update topology
> information (exception:
> System.Security.Authentication.AuthenticationException: The remote
> certificate was rejected by the provided RemoteCertificateValidationCallback.
> at
> System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions
> sslAuthenticationOptions)
> at
> System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean
> receiveFirst, Byte[] reAuthenticationData, CancellationToken
> cancellationToken)
> at
> System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean
> isAsync, CancellationToken cancellationToken)
> at
> System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions
> sslClientAuthenticationOptions)
> at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String
> targetHost)
> at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket
> socket, IgniteClientConfiguration cfg, String host)
> at
> Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration
> clientConfiguration, EndPoint endPoint, String host, Nullable`1 version,
> Action`1 topVerCallback, Marshaller marshaller)
> at
> Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.TryConnect(ClientDiscoveryNode
> node)
> at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.InitSocketMap()
> at
> Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.<OnAffinityTopologyVersionChange>b__40_0(Object
> _))
> {code}
> Potential cause: *ClientFailoverSocket* in the .NET client uses IP endpoints
> instead of hostnames.
> Reference:
> [ClientFailoverSocket.cs#L948|https://github.com/apache/ignite/blob/be1f4bc6378c0ceb75a16c286a1a6ee00875d624/modules/platforms/dotnet/Apache.Ignite.Core/Impl/Client/ClientFailoverSocket.cs#L133]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
