Akka artery tls client hostname verification

(Arkady Rost) #1

Good day! I would appreciate if someone could explain how to configure tls in Akka cluster properly. We use artery transport. Moreover, hostname verification and mutual authentication are enabled. Also, we changed the canonical hostname to “getHostName” rather than “getHostAddress”. We have one root CA that is common for each node in the cluster, but each node has its own certificate signed with the root one. The problem occurs when a client certificate is validating. When hostname verification is enabled, it causes enabling “HTTPS” endpoint identification algorithm. It causes X509TrustManagerImpl to verify that the client certificate contains server hostname. It is not true in our scenario (each node has its own certificate). Any ideas on how to fix it properly? Should I use the same certificate among all nodes?

1 Like
#2

Did you manage to find a solution for this? I’m stuck in the same problem.

Edit: So it does look like the X509TrustManagerImpl is limited as specified in the https://tools.ietf.org/html/rfc2818#section-3.2.

(Arkady Rost) #3

I didn’t find a solution. I understand the limitations of X509TrustManagerImpl, but the question is how to deal with these limitations. What are the best practices?

#4

In my case, I have a custom implementation of SSLEngineProvider since I have two certificates per node (client and server). I am setting the enpointIdentificationAlgorithm only if the clientMode is true. That works for me since each node is both a client and server and achieves the same effect overall.

1 Like
(Arkady Rost) #5

Thank you for sharing your approach. Actually, I have the same ideas for a workaround. It might mean that hostname-verification should setEndpointIdentificationAlgorithm only for client role by default.

#6

I opened a bug report: https://github.com/akka/akka/issues/26905

1 Like