Currently we support the ASYM_ENCRYPT protocol for JGroups encryption, however this is prone to man in the middle attacks. This can be overcome by utilising the SSL_KEY_EXCHANGE
protocol, however this requires a keystore to be configured. If the user has configured a keystore, we should utilise this and automatically add the SSL_KEY_EXCHANGE
protocol to the stack if jgroups.encrypt == true
.
Current issues with ASYM_ENCRYPT
and SSL_KEY_EXCHANGE
.
<VERIFY_SUSPECT timeout="1000"/>
<gsp:scriptlet>if (jgroups?.encrypt) {</gsp:scriptlet>
<gsp:scriptlet>if (keystore?.path) {</gsp:scriptlet>
<SSL_KEY_EXCHANGE
keystore_name="${keystore.path}"
keystore_password="${keystore.password}"
keystore_type="pkcs12"
port="2157"
port_range="0"
/>
<gsp:scriptlet>}</gsp:scriptlet>
<ASYM_ENCRYPT use_external_key_exchange="${keystore?.path ? true : false}"
sym_algorithm="AES/ECB/PKCS5Padding"
asym_keylength="512"
asym_algorithm="RSA"
/>
<gsp:scriptlet>}</gsp:scriptlet>
Node 1:
17:09:53,428 DEBUG [org.jgroups.protocols.SSL_KEY_EXCHANGE] (main) 9864590834c5-46097: becoming keyserver; creating server socket
17:09:53,508 DEBUG [org.jgroups.protocols.SSL_KEY_EXCHANGE] (main) 9864590834c5-46097: SSL server socket listening on /172.17.0.2:2157
17:09:53,511 DEBUG [org.jgroups.protocols.ASYM_ENCRYPT] (main) 9864590834c5-46097: I'm the new key server
17:09:53,530 DEBUG [org.jgroups.protocols.ASYM_ENCRYPT] (main) 9864590834c5-46097: created new group key (version: DCEFD81727549FA1786B1DAF8E35DD13) because of new view [9864590834c5-46097|0] (1) [9864590834c5-46097]
17:09:53,536 INFO [org.infinispan.CLUSTER] (main) ISPN000094: Received new cluster view for channel testClusterName: [9864590834c5-46097|0] (1) [9864590834c5-46097]
17:09:53,553 INFO [org.infinispan.CLUSTER] (main) ISPN000079: Channel testClusterName local address is 9864590834c5-46097, physical addresses are [172.17.0.2:7800]
17:09:53,564 INFO [org.infinispan.CONTAINER] (main) ISPN000390: Persisted state, version=10.1.0.Beta1 timestamp=2019-12-03T17:09:53.560070Z
17:09:54,029 INFO [org.infinispan.CONTAINER] (main) ISPN000104: Using EmbeddedTransactionManager
17:09:54,275 INFO [org.infinispan.SERVER] (ForkJoinPool.commonPool-worker-3) ISPN080018: Protocol HotRod (internal)
17:09:54,357 INFO [org.infinispan.SERVER] (main) ISPN080018: Protocol REST (internal)
17:09:54,468 INFO [org.infinispan.SERVER] (ForkJoinPool.commonPool-worker-5) ISPN080004: Protocol Memcached listening on 172.17.0.2:11221
17:09:54,479 INFO [org.infinispan.SERVER] (main) ISPN080004: Protocol SINGLE_PORT listening on 172.17.0.2:11222
17:09:54,479 INFO [org.infinispan.SERVER] (main) ISPN080001: Infinispan Server 10.1.0.Beta1 started in 8683ms
17:10:03,381 INFO [org.infinispan.CLUSTER] (jgroups-5,9864590834c5-46097) ISPN000094: Received new cluster view for channel testClusterName: [9864590834c5-46097|1] (2) [9864590834c5-46097, fe47e1f1471b-64307]
17:10:03,387 INFO [org.infinispan.CLUSTER] (jgroups-5,9864590834c5-46097) ISPN100000: Node fe47e1f1471b-64307 joined the cluster
17:10:03,423 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,9864590834c5-46097) 9864590834c5-46097: asking fe47e1f1471b-64307 to fetch the shared group key DCEFD81727549FA1786B1DAF8E35DD13 via an external key exchange protocol (srv=172.17.0.2:2157)
17:10:03,515 TRACE [org.jgroups.protocols.SSL_KEY_EXCHANGE] (SSL_KEY_EXCHANGE-runner-9,9864590834c5-46097) 9864590834c5-46097: failure handling client socket: Remote host terminated the handshake
17:10:03,557 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-8,9864590834c5-46097) 9864590834c5-46097: asking fe47e1f1471b-64307 to fetch the shared group key DCEFD81727549FA1786B1DAF8E35DD13 via an external key exchange protocol (srv=172.17.0.2:2157)
17:10:03,562 TRACE [org.jgroups.protocols.SSL_KEY_EXCHANGE] (SSL_KEY_EXCHANGE-runner-9,9864590834c5-46097) 9864590834c5-46097: failure handling client socket: Remote host terminated the handshake
17:10:03,659 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-8,9864590834c5-46097) 9864590834c5-46097: asking fe47e1f1471b-64307 to fetch the shared group key DCEFD81727549FA1786B1DAF8E35DD13 via an external key exchange protocol (srv=172.17.0.2:2157)
Node 2:
17:10:02,840 INFO [org.infinispan.CONTAINER] (main) ISPN000128: Infinispan version: Infinispan 'Chupacabra' 10.1.0.Beta1
17:10:03,012 INFO [org.infinispan.CLUSTER] (main) ISPN000078: Starting JGroups channel testClusterName
17:10:03,426 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: fetching group key from 172.17.0.2:2157
17:10:03,430 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-6,fe47e1f1471b-64307) fe47e1f1471b-64307: discarded mcast batch from 9864590834c5-46097 as secret key is null
17:10:03,457 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,508 WARN [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: failed fetching group key from 9864590834c5-46097: java.lang.IllegalStateException: failed connecting to 172.17.0.2:2157: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
17:10:03,508 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,557 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-5,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,557 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,558 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: fetching group key from 172.17.0.2:2157
17:10:03,560 WARN [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: failed fetching group key from 9864590834c5-46097: java.lang.IllegalStateException: failed connecting to 172.17.0.2:2157: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
17:10:03,560 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)
17:10:03,659 TRACE [org.jgroups.protocols.ASYM_ENCRYPT] (jgroups-10,fe47e1f1471b-64307) fe47e1f1471b-64307: message from 9864590834c5-46097 (version: DCEFD81727549FA1786B1DAF8E35DD13) dropped, as a key matching that version wasn't found (current version: null)