You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Bryan Beaudreault (Jira)" <ji...@apache.org> on 2023/04/06 19:48:00 UTC

[jira] [Comment Edited] (HBASE-27782) During SSL handshake error, netty complains that exceptionCaught() was not handled

    [ https://issues.apache.org/jira/browse/HBASE-27782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709494#comment-17709494 ] 

Bryan Beaudreault edited comment on HBASE-27782 at 4/6/23 7:47 PM:
-------------------------------------------------------------------

I see the only place we provide handling of "exceptionCaught" in our netty setup is in NettyRpcDuplexHandler. Looks like we add that handler after the connection has been established. Do you think we need to add a handler that exists prior to connection establishment? This error here is being thrown early in the handshake.

(I am not very well versed in netty, so let me know if this doesn't make sense)


was (Author: bbeaudreault):
I see the only place we call exceptionCaught in our netty setup is in NettyRpcDuplexHandler. Looks like we add that handler after the connection has been established. Do you think we need to add a handler that exists prior to connection establishment? This error here is being thrown early in the handshake.

(I am not very well versed in netty, so let me know if this doesn't make sense)

> During SSL handshake error, netty complains that exceptionCaught() was not handled
> ----------------------------------------------------------------------------------
>
>                 Key: HBASE-27782
>                 URL: https://issues.apache.org/jira/browse/HBASE-27782
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Bryan Beaudreault
>            Priority: Major
>              Labels: TLS
>
> I was chaos testing the new native TLS, forcing a certificate to expire and fail handshake. The handshake failure properly causes submitted requests to fail, but I see the following "unhandled exception" like message:
> {code:java}
> WARN  o.a.h.t.i.n.c.DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
> org.apache.hbase.thirdparty.io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired
>         at org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
>         at org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
>         at org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
>         at org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>         at org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
>         at org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>         at org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
>         at org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>         at org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>         at org.apache.hbase.thirdparty.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
>         at org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
>         at org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
>         at org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
>         at org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
>         at org.apache.hbase.thirdparty.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
>         at org.apache.hbase.thirdparty.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>         at org.apache.hbase.thirdparty.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>         at java.base/java.lang.Thread.run(Thread.java:833)
> Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired
>         at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
>         at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>         at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
>         at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
>         at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
>         at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
>         at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736)
>         at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691)
>         at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
>         at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
>         at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
>         at org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:296)
>         at org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1343)
>         at org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
>         at org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
>         at org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
>         at org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
>         ... 17 common frames omitted{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)