You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/04/25 19:21:14 UTC
[GitHub] [pulsar] surendra-k opened a new issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
surendra-k opened a new issue #6821:
URL: https://github.com/apache/pulsar/issues/6821
#### Expected behavior
Should be able to connect to pulsar+ssl proxy and create producer/consumer
#### Actual behavior
Environment: Java8, pulsar-java-client, mac 10.14.6
Pulsar setup: Pulsar cluster is running behind Nginx Proxy, Java client tries to connect pulsar via Nginx using binary protocol 'pulsar+ssl'
failing with following error
```
Caused by: java.lang.IllegalArgumentException: port out of range:-1
at java.net.InetSocketAddress.checkPort(InetSocketAddress.java:143)
at java.net.InetSocketAddress.createUnresolved(InetSocketAddress.java:254)
at org.apache.pulsar.client.impl.BinaryProtoLookupService.lambda$null$2(BinaryProtoLookupService.java:109)
pulsar-client-io-1-1, SEND TLSv1.2 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 2
0000: 01 00 ..
pulsar-client-io-1-1, WRITE: TLSv1.2 Alert, length = 26
pulsar-client-io-1-1, called closeInbound()
pulsar-client-io-1-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
pulsar-client-io-1-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
pulsar-client-io-1-1, Exception sending alert: java.io.IOException: writer side was already closed.
```
TLS certificate has following info:
```
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
```
Is issue with cipher ? Certificate has AES256-GCM and Java client is using AES128-GCM, i tried importing unlimited JCE policy jars and switching to Bouncy castle, issues still exists
#### Steps to reproduce
Java client connecting to proxy with binary protocol 'pulsar+ssl'
code:
```
client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://{nginx_url}:6651")
.build();
strProducer = client.newProducer(Schema.STRING)
.topic(TOPIC_NAME)
.create();
```
#### System configuration
**Pulsar version**: 2.5
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] surendra-k commented on issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
Posted by GitBox <gi...@apache.org>.
surendra-k commented on issue #6821:
URL: https://github.com/apache/pulsar/issues/6821#issuecomment-619983341
Nginx points to broker, couldn't get 'how did you setup Nginx?'
same thing is working with Python, but failing with Java
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] surendra-k commented on issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
Posted by GitBox <gi...@apache.org>.
surendra-k commented on issue #6821:
URL: https://github.com/apache/pulsar/issues/6821#issuecomment-620601371
some issue between Nginx and pulsar broker (internal issue), not relevant to Java pulsar-client, closing the issue.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
Posted by GitBox <gi...@apache.org>.
sijie commented on issue #6821:
URL: https://github.com/apache/pulsar/issues/6821#issuecomment-619664277
@surendra-k how did you setup Nginx? Which component did Nginx point to, broker or proxy?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] danielorf commented on issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
Posted by GitBox <gi...@apache.org>.
danielorf commented on issue #6821:
URL: https://github.com/apache/pulsar/issues/6821#issuecomment-835418071
@surendra-k Did you ever track down the internal issue? I'm having what appears to be a similar problem involving an AWS load balancer not being able to talk to the pulsar proxies.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] surendra-k edited a comment on issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
Posted by GitBox <gi...@apache.org>.
surendra-k edited a comment on issue #6821:
URL: https://github.com/apache/pulsar/issues/6821#issuecomment-619983341
Nginx points to broker, didn't get 'how did you setup Nginx?'
same thing is working with Python, but failing with Java.
from logs
Server and Client able to establish secret key, but it is failing after that,
logs:
```
*** ClientHello, TLSv1.2
*** ServerHello, TLSv1.2
*** Certificate chain
*** Found trusted certificate:
*** ECDH ServerKeyExchange
*** ServerHelloDone
*** ECDHClientKeyExchange
*** Finished
verify_data: { 142, 12, 251, 160, 67, 86, 213, 6, 110, 16, 47, 44 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
```
after above it's repeating following (8 or 9 times) and throwing java.lang.IllegalArgumentException: port out of range:-1
```
Padded plaintext before ENCRYPTION: len = 59
0000: 00 00 00 37 00 00 00 33 08 17 BA 01 2E 0A 28 70 ...7...3......(p
0010: 65 72 73 69 73 74 65 6E 74 3A 2F 2F 70 75 62 6C ersistent://publ
0020: 69 63 2F 64 65 66 61 75 6C 74 2F 6D 79 2D 74 6F ic/default/my-to
0030: 70 69 63 2D 33 33 33 10 03 18 00 pic-333....
pulsar-client-io-1-1, WRITE: TLSv1.2 Application Data, length = 59
[Raw write (bb)]: length = 88
0000: 17 03 03 00 53 00 00 00 00 00 00 00 05 8D 7F BC ....S...........
0010: BB 09 9D 8E C9 3D BA FB 04 A6 EB 01 67 AE C0 BE .....=......g...
0020: 56 98 6F AE 51 F1 67 A2 7D 70 42 8B FD 8C 6B 8D V.o.Q.g..pB...k.
0030: 6F 65 14 E1 37 B8 05 6B F2 E5 F4 62 53 72 1B 61 oe..7..k...bSr.a
0040: DF EC 05 18 1D 42 E8 0A E0 C6 96 A9 B5 CF DF 8D .....B..........
0050: 7B 2A BD 1B 54 EC 13 78 .*..T..x
[Raw read (bb)]: length = 81
0000: 17 03 03 00 4C 57 FD 4A 94 45 C9 63 F6 51 EF 87 ....LW.J.E.c.Q..
0010: ED F9 A5 70 69 DC 6D 1B 0B 21 EA AE 4F FA 29 54 ...pi.m..!..O.)T
0020: 1D A6 91 16 BB 83 76 59 03 98 14 D8 5E 02 25 28 ......vY....^.%(
0030: D8 AA 26 E0 94 2C A7 DE 5D 0B E9 FB 19 D0 77 DB ..&..,..].....w.
0040: 3D E9 E7 24 33 67 12 0A 10 EB 84 49 A0 74 0F B2 =..$3g.....I.t..
0050: 3F ?
Padded plaintext after DECRYPTION: len = 52
0000: 00 00 00 30 00 00 00 2C 08 18 C2 01 27 0A 1B 70 ...0...,....'..p
0010: 75 6C 73 61 72 3A 2F 2F 31 30 2E 31 32 30 2E 32 ulsar://10.x.x
0020: 31 34 2E 33 31 3A 36 36 35 30 12 00 18 01 20 03 .x:6650.... .
0030: 28 01 40 01 (.@.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] surendra-k edited a comment on issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx
Posted by GitBox <gi...@apache.org>.
surendra-k edited a comment on issue #6821:
URL: https://github.com/apache/pulsar/issues/6821#issuecomment-619983341
Nginx points to broker, didn't get 'how did you setup Nginx?'
same thing is working with Python, but failing with Java
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org