You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Dipti Mulay <di...@4skylabs.com> on 2021/01/02 04:32:09 UTC
TLS certificate error does not return a error to client
Hi All,
I have been using a zookeeper C-client libraries to communicate with the Zookeeper Cluster(Ensemble).
The communication is set to be established using mTLS.
While running some tests I had an incorrect certificate installed on the client side. I was expecting that the library would return a error indication AUTH failure or an callback session even indicating a failure.
But it seems the no error or callback is returned in this case. I see the loglevel to DEBUG in the client and I don’t see any logs coming out either.
I intend to write some re-try code and do some alarming based on the events returned by library .
Any suggestions?
Thanks
-Parag
Re: TLS certificate error does not return a error to client
Posted by Martin Gainty <mg...@hotmail.com>.
you will need ssl debug information turned on at jvm invocation
The -Djavax.net.debug=all property enables debug logging within the JSSE-based SSL implementation
.
SSL Debugging (oracle.com)<https://docs.oracle.com/middleware/12212/wls/SECMG/ssl_debug.htm#SECMG544>
martin
________________________________
From: Benjamin Reed <br...@apache.org>
Sent: Sunday, January 3, 2021 1:30 PM
To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
Subject: Re: TLS certificate error does not return a error to client
it sounds like we might be missing a test case. do we not have test
case coverage for this one?
ben
On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
>
> Hi All,
>
> I have been using a zookeeper C-client libraries to communicate with the Zookeeper Cluster(Ensemble).
> The communication is set to be established using mTLS.
>
> While running some tests I had an incorrect certificate installed on the client side. I was expecting that the library would return a error indication AUTH failure or an callback session even indicating a failure.
> But it seems the no error or callback is returned in this case. I see the loglevel to DEBUG in the client and I don’t see any logs coming out either.
>
> I intend to write some re-try code and do some alarming based on the events returned by library .
>
> Any suggestions?
>
> Thanks
> -Parag
Re: TLS certificate error does not return a error to client
Posted by Dipti Mulay <di...@4skylabs.com>.
Thanks Mate.
I have created JIRA ticket https://issues.apache.org/jira/browse/ZOOKEEPER-4047
I am fairly new to the zookeeper world. It might take me some time to understand all code and fix this.
In the meantime if somebody wants to pick this up and fix it, I will be grateful.
Thanks
-Parag
On 1/5/21, 4:05 PM, "Szalay-Bekő Máté" <sz...@gmail.com> wrote:
This sounds like a bug indeed... I think you should create a Jira ticket
for this.
I agree with Benjamin Reed that you should start with adding a new test
case in the C client. We already have tests for C client using SSL to
connect to the server (
https://github.com/apache/zookeeper/blob/701e134dfba721356deac1a20aa80e94ec80484a/zookeeper-client/zookeeper-client-c/tests/TestClient.cc#L882-L890),
you can start from this one.
In these tests we are using some dummy certificate / key files, you could
modify this file to generate some invalid certificates:
https://github.com/apache/zookeeper/blob/master/zookeeper-client/zookeeper-client-c/ssl/gencerts.sh
Also, make sure to set (keep the default values) in zoo.cfg for the
following parameters: client.portUnification=false and ssl.clientAuth=need
(see https://zookeeper.apache.org/doc/r3.6.2/zookeeperAdmin.html )
Best Regards,
Mate
On Tue, Jan 5, 2021 at 10:46 AM Martin Gainty <mg...@hotmail.com> wrote:
> Unfortunately i cant help you..good luck
>
> ________________________________
> From: Dipti Mulay <di...@4skylabs.com>
> Sent: Sunday, January 3, 2021 7:29 PM
> To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
> Subject: Re: TLS certificate error does not return a error to client
>
> Hi Martin,
>
> I am using the c-client and not Java.
>
> Thanks
> -Dipti
>
> On 1/4/21, 5:27 AM, "Martin Gainty" <mg...@hotmail.com> wrote:
>
> you will need ssl debugging turned on at jvm invocation
>
> ________________________________
> From: Benjamin Reed <br...@apache.org>
> Sent: Sunday, January 3, 2021 1:30 PM
> To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
> Subject: Re: TLS certificate error does not return a error to client
>
> it sounds like we might be missing a test case. do we not have test
> case coverage for this one?
>
> ben
>
> On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
> >
> > Hi All,
> >
> > I have been using a zookeeper C-client libraries to communicate with
> the Zookeeper Cluster(Ensemble).
> > The communication is set to be established using mTLS.
> >
> > While running some tests I had an incorrect certificate installed on
> the client side. I was expecting that the library would return a error
> indication AUTH failure or an callback session even indicating a failure.
> > But it seems the no error or callback is returned in this case. I
> see the loglevel to DEBUG in the client and I don’t see any logs coming out
> either.
> >
> > I intend to write some re-try code and do some alarming based on the
> events returned by library .
> >
> > Any suggestions?
> >
> > Thanks
> > -Parag
>
Re: TLS certificate error does not return a error to client
Posted by Szalay-Bekő Máté <sz...@gmail.com>.
This sounds like a bug indeed... I think you should create a Jira ticket
for this.
I agree with Benjamin Reed that you should start with adding a new test
case in the C client. We already have tests for C client using SSL to
connect to the server (
https://github.com/apache/zookeeper/blob/701e134dfba721356deac1a20aa80e94ec80484a/zookeeper-client/zookeeper-client-c/tests/TestClient.cc#L882-L890),
you can start from this one.
In these tests we are using some dummy certificate / key files, you could
modify this file to generate some invalid certificates:
https://github.com/apache/zookeeper/blob/master/zookeeper-client/zookeeper-client-c/ssl/gencerts.sh
Also, make sure to set (keep the default values) in zoo.cfg for the
following parameters: client.portUnification=false and ssl.clientAuth=need
(see https://zookeeper.apache.org/doc/r3.6.2/zookeeperAdmin.html )
Best Regards,
Mate
On Tue, Jan 5, 2021 at 10:46 AM Martin Gainty <mg...@hotmail.com> wrote:
> Unfortunately i cant help you..good luck
>
> ________________________________
> From: Dipti Mulay <di...@4skylabs.com>
> Sent: Sunday, January 3, 2021 7:29 PM
> To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
> Subject: Re: TLS certificate error does not return a error to client
>
> Hi Martin,
>
> I am using the c-client and not Java.
>
> Thanks
> -Dipti
>
> On 1/4/21, 5:27 AM, "Martin Gainty" <mg...@hotmail.com> wrote:
>
> you will need ssl debugging turned on at jvm invocation
>
> ________________________________
> From: Benjamin Reed <br...@apache.org>
> Sent: Sunday, January 3, 2021 1:30 PM
> To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
> Subject: Re: TLS certificate error does not return a error to client
>
> it sounds like we might be missing a test case. do we not have test
> case coverage for this one?
>
> ben
>
> On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
> >
> > Hi All,
> >
> > I have been using a zookeeper C-client libraries to communicate with
> the Zookeeper Cluster(Ensemble).
> > The communication is set to be established using mTLS.
> >
> > While running some tests I had an incorrect certificate installed on
> the client side. I was expecting that the library would return a error
> indication AUTH failure or an callback session even indicating a failure.
> > But it seems the no error or callback is returned in this case. I
> see the loglevel to DEBUG in the client and I don’t see any logs coming out
> either.
> >
> > I intend to write some re-try code and do some alarming based on the
> events returned by library .
> >
> > Any suggestions?
> >
> > Thanks
> > -Parag
>
Re: TLS certificate error does not return a error to client
Posted by Martin Gainty <mg...@hotmail.com>.
Unfortunately i cant help you..good luck
________________________________
From: Dipti Mulay <di...@4skylabs.com>
Sent: Sunday, January 3, 2021 7:29 PM
To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
Subject: Re: TLS certificate error does not return a error to client
Hi Martin,
I am using the c-client and not Java.
Thanks
-Dipti
On 1/4/21, 5:27 AM, "Martin Gainty" <mg...@hotmail.com> wrote:
you will need ssl debugging turned on at jvm invocation
________________________________
From: Benjamin Reed <br...@apache.org>
Sent: Sunday, January 3, 2021 1:30 PM
To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
Subject: Re: TLS certificate error does not return a error to client
it sounds like we might be missing a test case. do we not have test
case coverage for this one?
ben
On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
>
> Hi All,
>
> I have been using a zookeeper C-client libraries to communicate with the Zookeeper Cluster(Ensemble).
> The communication is set to be established using mTLS.
>
> While running some tests I had an incorrect certificate installed on the client side. I was expecting that the library would return a error indication AUTH failure or an callback session even indicating a failure.
> But it seems the no error or callback is returned in this case. I see the loglevel to DEBUG in the client and I don’t see any logs coming out either.
>
> I intend to write some re-try code and do some alarming based on the events returned by library .
>
> Any suggestions?
>
> Thanks
> -Parag
Re: TLS certificate error does not return a error to client
Posted by Dipti Mulay <di...@4skylabs.com>.
Hi Martin,
I am using the c-client and not Java.
Thanks
-Dipti
On 1/4/21, 5:27 AM, "Martin Gainty" <mg...@hotmail.com> wrote:
you will need ssl debugging turned on at jvm invocation
________________________________
From: Benjamin Reed <br...@apache.org>
Sent: Sunday, January 3, 2021 1:30 PM
To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
Subject: Re: TLS certificate error does not return a error to client
it sounds like we might be missing a test case. do we not have test
case coverage for this one?
ben
On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
>
> Hi All,
>
> I have been using a zookeeper C-client libraries to communicate with the Zookeeper Cluster(Ensemble).
> The communication is set to be established using mTLS.
>
> While running some tests I had an incorrect certificate installed on the client side. I was expecting that the library would return a error indication AUTH failure or an callback session even indicating a failure.
> But it seems the no error or callback is returned in this case. I see the loglevel to DEBUG in the client and I don’t see any logs coming out either.
>
> I intend to write some re-try code and do some alarming based on the events returned by library .
>
> Any suggestions?
>
> Thanks
> -Parag
Re: TLS certificate error does not return a error to client
Posted by Martin Gainty <mg...@hotmail.com>.
you will need ssl debugging turned on at jvm invocation
________________________________
From: Benjamin Reed <br...@apache.org>
Sent: Sunday, January 3, 2021 1:30 PM
To: user@zookeeper.apache.org <us...@zookeeper.apache.org>
Subject: Re: TLS certificate error does not return a error to client
it sounds like we might be missing a test case. do we not have test
case coverage for this one?
ben
On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
>
> Hi All,
>
> I have been using a zookeeper C-client libraries to communicate with the Zookeeper Cluster(Ensemble).
> The communication is set to be established using mTLS.
>
> While running some tests I had an incorrect certificate installed on the client side. I was expecting that the library would return a error indication AUTH failure or an callback session even indicating a failure.
> But it seems the no error or callback is returned in this case. I see the loglevel to DEBUG in the client and I don’t see any logs coming out either.
>
> I intend to write some re-try code and do some alarming based on the events returned by library .
>
> Any suggestions?
>
> Thanks
> -Parag
Re: TLS certificate error does not return a error to client
Posted by Benjamin Reed <br...@apache.org>.
it sounds like we might be missing a test case. do we not have test
case coverage for this one?
ben
On Fri, Jan 1, 2021 at 8:32 PM Dipti Mulay <di...@4skylabs.com> wrote:
>
> Hi All,
>
> I have been using a zookeeper C-client libraries to communicate with the Zookeeper Cluster(Ensemble).
> The communication is set to be established using mTLS.
>
> While running some tests I had an incorrect certificate installed on the client side. I was expecting that the library would return a error indication AUTH failure or an callback session even indicating a failure.
> But it seems the no error or callback is returned in this case. I see the loglevel to DEBUG in the client and I don’t see any logs coming out either.
>
> I intend to write some re-try code and do some alarming based on the events returned by library .
>
> Any suggestions?
>
> Thanks
> -Parag