Re: Getting 401 With secure websockets on AWS

[Khalid Huseynov <kh...@apache.org>]

Hi Michael,

Which version of Zeppelin are you using?

On Sat, Apr 22, 2017 at 3:10 AM, Knapp, Michael <
Michael.Knapp@capitalone.com> wrote:

> Hi,
>
>
>
> I am getting a 401, unauthorized, with all secure (and non-secure)
> websocket calls while running on AWS.  I have configured the server
> properly to use a signed certificate, I have tested and all HTTPS calls are
> successful.  I also have LDAP working.  Still, the websocket calls are all
> failing.
>
>
>
> I have a security group setup, it allows inbound TCP traffic over port 443
> from all sources (0.0.0.0/0).  I believe that alone should have been
> adequate.
>
>
>
> I set JAVA_OPTS=’-Djavax.net.debug=all’ and watched the standard output.
> Every time the websockets attempt to connect, I see these printed to
> standard out:
>
>
>
> qtp1622006612-39, called closeInbound()
>
> qtp1622006612-39, fatal error: 80: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
>
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
>
> %% Invalidated:  [Session-50, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
>
> qtp1622006612-39, SEND TLSv1.2 ALERT:  fatal, description = internal_error
>
> qtp1622006612-39, WRITE: TLSv1.2 Alert, length = 2
>
>
>
> Nothing is written the the log file when these websocket requests fail.
>
>
>
> Can somebody please tell me why this is still not working?
>
>
>
> Michael Knapp
>
> ------------------------------
>
> The information contained in this e-mail is confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>

Re: Getting 401 With secure websockets on AWS

["Knapp, Michael" <Mi...@capitalone.com>]

I have upgraded to Zeppelin 0.7.2, but the issue remains.

On AWS, Zeppelin is not working because the websocket consistently gets a 401 status.

Has anybody else encountered this problem?  Could there be a mistake in how websockets are being formed?  Perhaps they are missing some essential headers.

Michael Knapp

From: "Knapp, Michael" <Mi...@capitalone.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Tuesday, June 27, 2017 at 3:25 PM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Subject: Re: Getting 401 With secure websockets on AWS

Sorry it took me a while to respond, I got side-tracked.  This is still a major problem for me.

I am using Zeppelin 0.7.0, I can try upgrading.

Other factors:

·         We are using proxies

·         This is running in docker and kubernetes now, but in the original email it was installed directly on an ec2.



From: Khalid Huseynov <kh...@apache.org>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Thursday, May 4, 2017 at 4:30 AM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Subject: Re: Getting 401 With secure websockets on AWS

Hi Michael,

Which version of Zeppelin are you using?

On Sat, Apr 22, 2017 at 3:10 AM, Knapp, Michael <Mi...@capitalone.com>> wrote:
Hi,

I am getting a 401, unauthorized, with all secure (and non-secure) websocket calls while running on AWS.  I have configured the server properly to use a signed certificate, I have tested and all HTTPS calls are successful.  I also have LDAP working.  Still, the websocket calls are all failing.

I have a security group setup, it allows inbound TCP traffic over port 443 from all sources (0.0.0.0/0<http://0.0.0.0/0>).  I believe that alone should have been adequate.

I set JAVA_OPTS=’-Djavax.net.debug=all’ and watched the standard output.  Every time the websockets attempt to connect, I see these printed to standard out:

qtp1622006612-39, called closeInbound()
qtp1622006612-39, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated:  [Session-50, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
qtp1622006612-39, SEND TLSv1.2 ALERT:  fatal, description = internal_error
qtp1622006612-39, WRITE: TLSv1.2 Alert, length = 2

Nothing is written the the log file when these websocket requests fail.

Can somebody please tell me why this is still not working?

Michael Knapp

________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.


________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

Re: Getting 401 With secure websockets on AWS

["Knapp, Michael" <Mi...@capitalone.com>]

Sorry it took me a while to respond, I got side-tracked.  This is still a major problem for me.

I am using Zeppelin 0.7.0, I can try upgrading.

Other factors:

·         We are using proxies

·         This is running in docker and kubernetes now, but in the original email it was installed directly on an ec2.



From: Khalid Huseynov <kh...@apache.org>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Thursday, May 4, 2017 at 4:30 AM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Subject: Re: Getting 401 With secure websockets on AWS

Hi Michael,

Which version of Zeppelin are you using?

On Sat, Apr 22, 2017 at 3:10 AM, Knapp, Michael <Mi...@capitalone.com>> wrote:
Hi,

I am getting a 401, unauthorized, with all secure (and non-secure) websocket calls while running on AWS.  I have configured the server properly to use a signed certificate, I have tested and all HTTPS calls are successful.  I also have LDAP working.  Still, the websocket calls are all failing.

I have a security group setup, it allows inbound TCP traffic over port 443 from all sources (0.0.0.0/0<http://0.0.0.0/0>).  I believe that alone should have been adequate.

I set JAVA_OPTS=’-Djavax.net.debug=all’ and watched the standard output.  Every time the websockets attempt to connect, I see these printed to standard out:

qtp1622006612-39, called closeInbound()
qtp1622006612-39, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated:  [Session-50, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
qtp1622006612-39, SEND TLSv1.2 ALERT:  fatal, description = internal_error
qtp1622006612-39, WRITE: TLSv1.2 Alert, length = 2

Nothing is written the the log file when these websocket requests fail.

Can somebody please tell me why this is still not working?

Michael Knapp

________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.