[jira] [Closed] (GEODE-10066) SSL handshake failures on 1 locator prevents connection pool from trying other locators

["Owen Nichols (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/GEODE-10066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen Nichols closed GEODE-10066.
--------------------------------

> SSL handshake failures on 1 locator prevents connection pool from trying other locators
> ---------------------------------------------------------------------------------------
>
>                 Key: GEODE-10066
>                 URL: https://issues.apache.org/jira/browse/GEODE-10066
>             Project: Geode
>          Issue Type: Bug
>          Components: client/server
>    Affects Versions: 1.12.9, 1.13.8, 1.14.4, 1.15.0
>            Reporter: Jacob Barrett
>            Assignee: Jacob Barrett
>            Priority: Major
>              Labels: pull-request-available, ssl
>             Fix For: 1.15.0
>
>
> If an {{SSLException}} is thrown when handshaking with a locator the exception is wrapped in an {{IllegalStateException}} that is not caught by the connection pool, the stack is blown, and no connections can be established. If not wrapped the connection pool will properly try the next locator.
> The {{SSLExceptions}} are wrapped in at least {{TcpClient.getServerVersion()}} but other locations may exist in this path. This method throws {{IOException}} and the {{SSLExceptions}} extend {{IOExceptions}} so they should not be wrapped. It probably makes sense to split the concern of socket connection from determining the server version in {{TcpClient.getServerVersion()}}.
> {noformat}
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.2.8.12 found
> 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> 	at org.apache.geode.internal.net.SocketCreator.configureClientSSLSocket(SocketCreator.java:594)
> 	at org.apache.geode.internal.net.SCAdvancedSocketCreator.connect(SCAdvancedSocketCreator.java:83)
> 	at org.apache.geode.distributed.internal.tcpserver.ClusterSocketCreatorImpl.connect(ClusterSocketCreatorImpl.java:96)
> 	at org.apache.geode.distributed.internal.tcpserver.TcpClient.getServerVersion(TcpClient.java:246)
> 	at org.apache.geode.distributed.internal.tcpserver.TcpClient.requestToServer(TcpClient.java:151)
> 	at org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.queryOneLocatorUsingConnection(AutoConnectionSourceImpl.java:227)
> 	at org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.queryOneLocator(AutoConnectionSourceImpl.java:217)
> 	at org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.queryLocators(AutoConnectionSourceImpl.java:264)
> 	at org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.findServer(AutoConnectionSourceImpl.java:176)
> 	at org.apache.geode.cache.client.internal.ConnectionFactoryImpl.createClientToServerConnection(ConnectionFactoryImpl.java:211)
> 	at org.apache.geode.cache.client.internal.pooling.ConnectionManagerImpl.createPooledConnection(ConnectionManagerImpl.java:196)
> 	at org.apache.geode.cache.client.internal.pooling.ConnectionManagerImpl.createPooledConnection(ConnectionManagerImpl.java:190)
> 	at org.apache.geode.cache.client.internal.pooling.ConnectionManagerImpl.borrowConnection(ConnectionManagerImpl.java:282)
> 	at org.apache.geode.cache.client.internal.PoolImpl.acquireConnection(PoolImpl.java:940)
> 	at org.apache.geode.cache.wan.internal.GatewaySenderEventRemoteDispatcher.initializeConnection(GatewaySenderEventRemoteDispatcher.java:464)
> 	at org.apache.geode.cache.wan.internal.GatewaySenderEventRemoteDispatcher.<init>(GatewaySenderEventRemoteDispatcher.java:105)
> 	at org.apache.geode.cache.wan.internal.parallel.RemoteParallelGatewaySenderEventProcessor.initializeEventDispatcher(RemoteParallelGatewaySenderEventProcessor.java:66)
> 	at org.apache.geode.internal.cache.wan.AbstractGatewaySenderEventProcessor.setRunningStatus(AbstractGatewaySenderEventProcessor.java:1107)
> 	at org.apache.geode.internal.cache.wan.AbstractGatewaySenderEventProcessor.run(AbstractGatewaySenderEventProcessor.java:1081)
> Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.2.8.12 found
> 	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
> 	at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
> 	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
> 	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:428)
> 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:209)
> 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
> 	at org.apache.geode.internal.net.filewatch.FileWatchingX509ExtendedTrustManager.checkServerTrusted(FileWatchingX509ExtendedTrustManager.java:130)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> 	... 26 more
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.7#820007)