You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Pradeep (Jira)" <ji...@apache.org> on 2020/04/17 12:36:00 UTC
[jira] [Commented] (ZOOKEEPER-3674) zookeeper.ssl.clientAuth
ignored
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085699#comment-17085699 ]
Pradeep commented on ZOOKEEPER-3674:
------------------------------------
Is this fixed in latest version ?
1 way authentication is still failing in the 3.6 .
*Client config*
{code:java}
CLIENT_JVMFLAGS="
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.ssl.trustStore.location=/client.truststore.jks
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.trustStore.password=******
-Dzookeeper.ssl.hostnameVerification=false" /apache-zookeeper-3.6.0-bin/bin/zkCli.sh -server 192.168.235.165:2281
{code}
*Server config*
{code:java}
root@zoo1:/# cat /apache-zookeeper-3.6.0-bin/conf/zoo.cfg
standaloneEnabled=false
tickTime=2000
dataDir=/var/lib/zookeeper
secureClientPort=2281
initLimit=5
syncLimit=2
server.1=192.168.235.165:2888:3888
server.2=192.168.208.221:2888:3888
server.3=192.168.23.240:2888:3888
ssl.clientAuth=none
sslQuorum=true
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.quorum.keyStore.location=/server.pem
ssl.quorum.trustStore.location=/path/to/serverca/cacertbundle.pem
ssl.hostnameVerification=false
ssl.quorum.hostnameVerification=false
root@zoo1:/#
{code}
*Error*
{code:java}
2020-04-17 12:31:34,374 [myid:1] - TRACE [nioEventLoopGroup-4-1:NettyServerCnxnFactory$CnxnChannelHandler@207] - Channel active [id: 0x58fda1a0, L:/192.168.235.165:2281 - R:/192.168.174.137:36062]2020-04-17 12:31:34,374 [myid:1] - TRACE [nioEventLoopGroup-4-1:NettyServerCnxnFactory$CnxnChannelHandler@207] - Channel active [id: 0x58fda1a0, L:/192.168.235.165:2281 - R:/192.168.174.137:36062]2020-04-17 12:31:34,377 [myid:1] - ERROR [nioEventLoopGroup-4-1:NettyServerCnxnFactory$CertificateVerifier@434] - Unsuccessful handshake with session 0x02020-04-17 12:31:34,377 [myid:1] - DEBUG [nioEventLoopGroup-4-1:NettyServerCnxn@106] - close called for session id: 0x02020-04-17 12:31:34,377 [myid:1] - DEBUG [nioEventLoopGroup-4-1:NettyServerCnxn@117] - cnxns size:02020-04-17 12:31:34,377 [myid:1] - WARN [nioEventLoopGroup-4-1:NettyServerCnxnFactory$CnxnChannelHandler@273] - Exception caughtio.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) at javax.net.ssl.SSLHandshakeException: no cipher suites in common at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255) at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461) at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498) at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437) ... 17 more2020-04-17 12:31:34,378 [myid:1] - DEBUG [nioEventLoopGroup-4-1:NettyServerCnxnFactory$CnxnChannelHandler@276] - Closing /192.168.174.137:36062[0](queued=0,recved=0,sent=0)
{code}
> zookeeper.ssl.clientAuth ignored
> --------------------------------
>
> Key: ZOOKEEPER-3674
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3674
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.5.5, 3.5.6
> Reporter: Ron Dagostino
> Priority: Major
> Fix For: 3.5.7
>
>
> Setting zookeeper.ssl.clientAuth currently has no impact; a client certificate is currently always required.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)