Skip to content

GEODE-10556: Fix SSL handshake failure in PulseSecurityWithSSLTest when JmxManagerBindAddress is empty#7984

Open
JinwooHwang wants to merge 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10556
Open

GEODE-10556: Fix SSL handshake failure in PulseSecurityWithSSLTest when JmxManagerBindAddress is empty#7984
JinwooHwang wants to merge 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10556

Conversation

@JinwooHwang
Copy link
Contributor

@JinwooHwang JinwooHwang commented Feb 11, 2026
edited
Loading

Problem

PulseSecurityWithSSLTest failed on GitHub Actions with authentication errors (BAD_CREDS) despite using correct credentials. Tests consistently passed locally but failed in CI:
SSLHandshakeException: No subject alternative names matching IP address 172.17.0.2 found

  • PulseSecurityWithSSLTest > loginWithIncorrectAndThenCorrectPassword
  • PulseSecurityWithSSLTest > loginWithDeprecatedSSLOptions

Root Cause: When JmxManagerBindAddress is not configured (empty string), ManagementAgent was setting pulse.host to an empty string:
System.setProperty(PULSE_HOST_PROP, "" + config.getJmxManagerBindAddress());

An empty host in the JMX service URL (service:jmx:rmi:///jndi/rmi://:PORT/jmxrmi) causes the JRE to resolve the host via InetAddress.getLocalHost(). On Linux, this returns the container's bridge IP address (e.g. 172.17.0.2) rather than 127.0.0.1.

The embedded trusted.keystore certificate has CN=localhost and a single SAN of IPAddress:127.0.0.1. When Pulse attempts the JMX-over-SSL connection to 172.17.0.2, the SSL handshake fails because that IP is not covered by the certificate.

This issue does not reproduce on macOS, where InetAddress.getLocalHost() typically returns 127.0.0.1.

Solution

In ManagementAgent.java, fall back to "localhost" when JmxManagerBindAddress is empty:
String jmxBindAddress = config.getJmxManagerBindAddress();
System.setProperty(PULSE_HOST_PROP,
jmxBindAddress.isEmpty() ? "localhost" : jmxBindAddress);

localhost resolves to 127.0.0.1, which matches the certificate's SAN, so the SSL handshake succeeds.

Testing

  • Both tests pass locally (27.7s total, 0 failures)
  • Code compiles and passes tests

Impact

  • Eliminates test failure in CI
  • Improves test reliability and developer experience

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch 4 times, most recently from 209deba to 3e92b5c Compare February 11, 2026 23:46
@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch from f993be5 to 0b2beea Compare March 12, 2026 12:49
@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch from 0b2beea to 3b21ac6 Compare March 12, 2026 13:53
@JinwooHwang JinwooHwang reopened this Mar 12, 2026
@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch from c1e3008 to b0b2dab Compare March 12, 2026 16:53
@JinwooHwang JinwooHwang reopened this Mar 12, 2026
@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch from ae2abd6 to 52fe473 Compare March 13, 2026 10:06
@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch from 52fe473 to affba70 Compare March 13, 2026 10:13
@JinwooHwang JinwooHwang reopened this Mar 13, 2026
@JinwooHwang JinwooHwang force-pushed the feature/GEODE-10556 branch from 2dd8907 to 295cd4c Compare March 13, 2026 11:56
@JinwooHwang
GEODE-10556: Use localhost for Pulse JMX host when JmxManagerBindAddr…
2e17eca 
…ess is empty

When JmxManagerBindAddress is not configured (empty string, meaning bind
all interfaces), ManagementAgent was setting the pulse.host system property
to the empty string. On Linux/Docker, an empty host in the JMX service URL
resolves to InetAddress.getLocalHost(), which returns the container bridge
IP (e.g. 172.17.0.2) rather than 127.0.0.1.

The embedded test keystore (trusted.keystore) only contains
IPAddress:127.0.0.1 as a Subject Alternative Name. The SSL handshake
between Pulse JMXDataUpdater and the JMX connector server therefore failed:

  SSLHandshakeException: No subject alternative names matching IP address
  172.17.0.2 found

This caused PulseSecurityWithSSLTest to consistently fail on CI (Ubuntu,
Liberica JDK 17, Docker) with BAD_CREDS while passing locally on macOS
with Zulu JDK 17 (where getLocalHost() returns 127.0.0.1).

Fix: when JmxManagerBindAddress is empty, pass localhost as the
pulse.host property so JMXDataUpdater connects to 127.0.0.1, which is
always covered by the certificate SAN.
@JinwooHwang JinwooHwang reopened this Mar 15, 2026
@JinwooHwang JinwooHwang changed the title GEODE-10556: Fix race condition in PulseSecurityWithSSLTest GEODE-10556: Fix SSL handshake failure in PulseSecurityWithSSLTest when JmxManagerBindAddress is empty Mar 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marinov-code marinov-code Awaiting requested review from marinov-code

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JinwooHwang