You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2021/09/27 20:53:00 UTC
[jira] [Commented] (CASSANDRA-17006) hostname verification for
server-to-server encryption fails handshake on gateway IP
[ https://issues.apache.org/jira/browse/CASSANDRA-17006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17421024#comment-17421024 ]
Brandon Williams commented on CASSANDRA-17006:
----------------------------------------------
InboundConnectionInitiator handles inbound connections, so it is correctly reject the connection from this IP. It sounds like you have something misconfigured and 172.17.154.1 is performing NAT such that connections appear to come from it.
> hostname verification for server-to-server encryption fails handshake on gateway IP
> -----------------------------------------------------------------------------------
>
> Key: CASSANDRA-17006
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17006
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
> Reporter: Nicolas Henneaux
> Priority: Normal
>
> When starting a Cassandra cluster with a docker compose, I'm getting handshake errors with sub-network gateway.
> {code}
> No subject alternative names matching IP address 172.17.154.1 found
> {code}
> It tries to handshake with gateway instead of other nodes directly.
> I'm using Cassandra docker container {{cassandra:4.0.1}}. When disabling {{require_endpoint_verification}} configuration, the cluster runs fine.
> Those are the containers ip's
> {code}
> docker inspect -f '{{.Name}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $(docker ps -aq)
> Sep 27 19:57:15 /cassandra.cassandra-init.ochptjyl.f21554205325e6663810168edd903aa8f0ac4a34 - 172.17.154.7
> Sep 27 19:57:15 /cassandra.tests.ochptjyl.f21554205325e6663810168edd903aa8f0ac4a34 - 172.17.154.6
> Sep 27 19:57:15 /cassandra.cassandra2.ochptjyl.f21554205325e6663810168edd903aa8f0ac4a34 - 172.17.154.5
> Sep 27 19:57:15 /cassandra.cassandra3.ochptjyl.f21554205325e6663810168edd903aa8f0ac4a34 - 172.17.154.4
> Sep 27 19:57:15 /cassandra.ssh.ochptjyl.f21554205325e6663810168edd903aa8f0ac4a34 - 172.17.154.2
> Sep 27 19:57:15 /cassandra.cassandra1.ochptjyl.f21554205325e6663810168edd903aa8f0ac4a34 - 172.17.154.3
> {code}
> The full stacktrace
> {code}
> ERROR [Messaging-EventLoop-3-2] 2021-09-27 19:57:32,057 InboundConnectionInitiator.java:360 - Failed to properly handshake with peer /172.17.154.1:36992. Closing the channel.
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478)
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
> at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.base/java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1793)
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:777)
> at java.base/javax.net.ssl.SSLEngine.wrap(Unknown Source)
> at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1086)
> at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:977)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1450)
> at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1294)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1331)
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
> ... 15 common frames omitted
> Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 172.17.154.1 found
> at java.base/sun.security.util.HostnameChecker.matchIP(Unknown Source)
> at java.base/sun.security.util.HostnameChecker.match(Unknown Source)
> at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
> at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
> at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
> at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
> at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslServerContext.java:268)
> at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
> at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:596)
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1220)
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1346)
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1389)
> at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387)
> ... 19 common frames omitted
> Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1309)
> at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
> ... 23 common frames omitted
> {code}
> The server to sever encryption configuration.
> {code}
> server_encryption_options:
> internode_encryption: all
> enable_legacy_ssl_storage_port: false
> keystore: /etc/cassandra/keystore.p12
> keystore_password: xxx
> require_client_auth: true
> truststore: /etc/cassandra/truststore.p12
> truststore_password: xxx
> require_endpoint_verification: true{code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org