You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kudu.apache.org by "Alexey Serbin (JIRA)" <ji...@apache.org> on 2017/09/15 18:16:00 UTC
[jira] [Comment Edited] (KUDU-2145) Bouncycastle incompatibility
with Kudu master CA
[ https://issues.apache.org/jira/browse/KUDU-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16168287#comment-16168287 ]
Alexey Serbin edited comment on KUDU-2145 at 9/15/17 6:15 PM:
--------------------------------------------------------------
{noformat}
org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
{noformat}
It seems that's because Bouncycastle does not recognize the critical restriction for the certificates generated by Kudu IPKI. As of now, we put the following restrictions into the ExtendedKeyUsage X509 extension (IOD 2.5.29.37, corresponds to OBJ_ext_key_usage/NID_ext_key_usage in OpenSSL): {{"critical,serverAuth,clientAuth"}}
Basically, that means a generated certificate fits authenticating both server and client sides (that's because those certificates are used by tablet servers and masters for that purpose).
Moreover, that are ubiquitous X509 restrictions, being put into ExterndedKeyUsage for years. I'm surprised Bouncycastle fails to support them.
was (Author: aserbin):
{noformat}
org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
{noformat}
It seems that's because Bouncycastle does not recognize the critical restriction for the generated certificates. As of now, we the following restrictions into the ExtendedKeyUsage X509 extension (IOD 2.5.29.37, corresponds to OBJ_ext_key_usage/NID_ext_key_usage in OpenSSL): {{"critical,serverAuth,clientAuth"}}
Basically, that means the generated certificates fits authenticating both server and client sides (that's because those certificates are used by tablet servers and masters for that purpose).
That are ubiquitous X509 restrictions being put into ExterndedKeyUsage for years. I'm surprised Bouncycastle fails to support them.
> Bouncycastle incompatibility with Kudu master CA
> ------------------------------------------------
>
> Key: KUDU-2145
> URL: https://issues.apache.org/jira/browse/KUDU-2145
> Project: Kudu
> Issue Type: Bug
> Components: master, security
> Affects Versions: 1.5.0
> Reporter: Mike Percy
>
> It appears that bouncycastle, at least in some cases, may be incompatible with the current Kudu master CA implementation. I saw the following exception on a Kudu 1.4 cluster in the Impala catalogd log (catalogd uses the Kudu Java client for DDL operations):
> {code}
> E0912 11:22:19.658434 6023 TabletClient.java:723] [Peer ] Unexpected exception from downstream on [id: 0x0c7360a9, /10.0.0.1:42103 => host.example.com/10.0.0.2:7051]
> Java exception follows:
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.CodecEmbedderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.AbstractCodecEmbedder$EmbeddedChannelPipeline.notifyHandlerException(AbstractCodecEmbedder.java:242)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:566)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder.offer(DecoderEmbedder.java:70)
> at org.apache.kudu.client.Negotiator.handleTlsMessage(Negotiator.java:449)
> at org.apache.kudu.client.Negotiator.handleResponse(Negotiator.java:250)
> at org.apache.kudu.client.Negotiator.messageReceived(Negotiator.java:229)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.timeout.ReadTimeoutHandler.messageReceived(ReadTimeoutHandler.java:184)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.oneone.OneToOneDecoder.handleUpstream(OneToOneDecoder.java:70)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
> at org.apache.kudu.client.shaded.org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
> at org.apache.kudu.client.shaded.org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> ... 37 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
> at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
> ... 42 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
> at org.apache.kudu.client.SecurityContext$DelegatedTrustManager.checkServerTrusted(SecurityContext.java:275)
> at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:827)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
> ... 50 more
> Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
> at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.wrapupCertF(Unknown Source)
> at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
> at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
> ... 58 more
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)