Netty 4.2.15 fixed CVE-2026-50010 by removing the silent wrapping of
plain X509TrustManager in X509ExtendedTrustManager. When a plain
X509TrustManager is used, the JDK wraps it in AbstractTrustManagerWrapper
and runs TrustManagerImpl.checkTrusted() with AlgorithmChecker before
calling the custom trust manager.
This caused client certificates signed with SHA3-512withECDSA to be
rejected even though they are not explicitly blacklisted in java.security,
because the JDK's internal PKIX validator applies stricter constraints.
By making our custom trust managers implement X509ExtendedTrustManager
directly, the JDK calls the 3-arg methods directly and bypasses its
internal TrustManagerImpl, restoring the pre-4.2.15 behavior where
only our custom PKIX validation runs.
Files changed:
- rbcs-common/RBCS.kt: getTrustManager() returns X509ExtendedTrustManager
- rbcs-client/RemoteBuildCacheClient.kt: trust-all manager uses X509ExtendedTrustManager
- Rename RedisSpan -> SpanHandle for generic span handling
- Generalize TelemetryController methods: startSpan/endSpan with dbSystem param
- Rename RedisOtelSpan -> OtelSpanHandle in rbcs-server-otel
- Update Redis cache handler to use new generic API
- Add OpenTelemetry tracing for memcache GET and SET commands
- Add channel property to MemcacheRequestController for server address attribution
- Add uses TelemetryController directive in memcache module-info
Memcache spans follow the same pattern as Redis:
db.system=memcache, db.operation=GET|SET, server.address, server.port
- Add RedisSpan interface in rbcs-api for opaque span handles
- Extend TelemetryController with startRedisSpan/endRedisSpan methods
- Implement Redis tracing in rbcs-server-otel via OtelController and RedisOtelSpan
- Instrument RedisCacheHandler to create spans around GET and SET commands
- Add uses directive in rbcs-server-redis module-info for ServiceLoader discovery
Redis spans are created as CLIENT spans with attributes:
db.system=redis, db.operation=GET|SET, server.address, server.port
- Update lys.version to 2026.04.14
- Add optional compileOnly dependency on opentelemetry-netty-4.1 in rbcs-server
- Add runtime guard to only activate instrumentation when OTel classes are on classpath
- Insert OTel combined handler after HttpServerCodec in the Netty pipeline
- Add requires-static JPMS directives for optional module support
woggioni
opencode