TLS for inter-node peer connections

When the cluster's client port is TLS-enabled, peer connections (which connect to
that same port) must also speak TLS. PeerManager gains setPeerClientContext/
getPeerClientContext, and PeerNode installs that context on its client before
logon. Null (the default) leaves peering plaintext — a no-op, so non-TLS clusters
are unchanged.
This commit is contained in:
2026-06-29 22:16:57 +12:00
parent ce4360f210
commit a942d5d3dc
2 changed files with 27 additions and 0 deletions
@@ -1319,6 +1319,27 @@ public abstract class PeerManager
return PeerNode.class;
}
/**
* Sets the {@link SSLContext} that {@link PeerNode}s use to wrap their connections to other
* nodes in TLS. When the cluster's client port is TLS-enabled, peer connections (which connect
* to that same port) must also speak TLS; this is the client-side (pinned-truststore) context
* the peer node installs on its client before logon. Null (the default) leaves peer connections
* plaintext. Set this before peers are discovered/connected.
*/
public void setPeerClientContext (javax.net.ssl.SSLContext ctx)
{
_peerClientContext = ctx;
}
/**
* Returns the {@link SSLContext} peer nodes use to wrap connections to other nodes, or null if
* peer connections are plaintext.
*/
public javax.net.ssl.SSLContext getPeerClientContext ()
{
return _peerClientContext;
}
/**
* Creates credentials that a {@link PeerNode} can use to authenticate with another node.
*/
@@ -1812,6 +1833,9 @@ public abstract class PeerManager
protected String _nodeName;
protected String _sharedSecret;
protected NodeRecord _self;
/** TLS context peer nodes use when connecting to other nodes, or null for plaintext peering. */
protected javax.net.ssl.SSLContext _peerClientContext;
protected NodeObject _nodeobj;
protected String _nodeNamespace;
protected Map<String,PeerNode> _peers = Maps.newHashMap();
@@ -140,6 +140,9 @@ public class PeerNode
// otherwise configure our client with the right bits and logon
_client.setCredentials(_peermgr.createCreds());
// if the cluster's client port is TLS-enabled, peer connections must speak TLS too;
// null (plaintext peering) is a no-op (see PeerManager.setPeerClientContext)
_client.setSSLContext(_peermgr.getPeerClientContext());
_client.setServer(hostName, new int[] { _record.port });
_client.logon();
_lastConnectStamp = System.currentTimeMillis();