How can I disable subject alternative validation for the rest.advertised.listener?

yk1113 · 15 September 2023 01:19

According to the documentation, if I set ssl.endpoint.identification.algorithm to an empty string, this validation should be disabled but that does not seem to work in my environment

My configuration is :

rest.advertised.listener=https
rest.advertised.port=8443
ssl.enabled.protocols=TLSv1.2
rest.advertised.host.name=192.168.41.39
listeners=https://192.168.41.39:8443
ssl.endpoint.identification.algorithm=

Supposing that the leader is

rest.advertised.host.name=192.168.41.40
listeners=https://192.168.41.40:8443

Then, when I post configurations that needs to be forwarded from one of the workers to the leader, it fails with the following error:

{
    "error_code": 500,
    "message": "IO Error trying to forward REST request: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 192.168.41.40 found"
}

Unfortunately, I cannot run using http and I just need to disable this additional check

yk1113 · 15 September 2023 02:21

It seems that listeners.https.ssl.endpoint.identification.algorithm did it

I am surprised that I could not find this documented anywhere

system · 22 September 2023 02:21

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.