You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kudu.apache.org by "Alexey Serbin (JIRA)" <ji...@apache.org> on 2017/05/05 16:35:04 UTC
[jira] [Comment Edited] (KUDU-1981) With security enabled, Kudu
servers cannot start at machines with len(FQDN) > 64
[ https://issues.apache.org/jira/browse/KUDU-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15998533#comment-15998533 ]
Alexey Serbin edited comment on KUDU-1981 at 5/5/17 4:34 PM:
-------------------------------------------------------------
To work-around the issue, use the following additional options for both {{kudu-master}} and {{kudu-tserver}}:
{noformat}
--rpc_authentication=disabled
--rpc_encryption=disabled
{noformat}
The order of flags is important in versions prior to versions with fix for KUDU-1993 included.
was (Author: aserbin):
To work-around the issue, use the following additional options for both {{kudu-master}} and {{kudu-tserver}}:
{noformat}
--rpc_authentication=disabled
--rpc_encryption=disabled
{noformat}
The order is important in versions prior to versions with fix for KUDU-1993 included.
> With security enabled, Kudu servers cannot start at machines with len(FQDN) > 64
> --------------------------------------------------------------------------------
>
> Key: KUDU-1981
> URL: https://issues.apache.org/jira/browse/KUDU-1981
> Project: Kudu
> Issue Type: Bug
> Components: master, tserver
> Affects Versions: 1.3.1
> Environment: That was noticed at machine in GCE with FQDN of 72 character length: ifi-ss-poc-cm-cdh-8d5b8302-039c-4298-8283-330a04bbe140.c.gcp-se.internal
> Reporter: Alexey Serbin
> Assignee: Alexey Serbin
> Fix For: 1.3.1, 1.4.0
>
>
> Due to the hard-coded restrictions in the OpenSSL library, Kudu server components cannot start on machines with FQDN > 64 character length when security is enabled:
> {noformat}
> F0425 02:05:47.341861 14167 master_main.cc:68] Check failed: _s.ok() Bad status: Runtime error: could not generate CSR: error setting subject "common name": error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers:ssl_lib.c:1803 error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=64
> *** Check failure stack trace: ***
> {noformat}
> It seems OpenSSL enforces restrictions as described at page 123 of RFC5280 https://www.rfc-editor.org/rfc/rfc5280.txt:
> {noformat}
> -- specifications of Upper Bounds MUST be regarded as mandatory
> -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
> -- Upper Bounds
> -- Upper Bounds
> ub-name INTEGER ::= 32768
> ub-common-name INTEGER ::= 64
> ub-locality-name INTEGER ::= 128
> ub-state-name INTEGER ::= 128
> ub-organization-name INTEGER ::= 64
> ub-organizational-unit-name INTEGER ::= 64
> ub-title INTEGER ::= 64
> ub-serial-number INTEGER ::= 64
> ub-match INTEGER ::= 128
> ub-emailaddress-length INTEGER ::= 255
> ub-common-name-length INTEGER ::= 64
> ub-country-name-alpha-length INTEGER ::= 2
> ub-country-name-numeric-length INTEGER ::= 3
> ub-domain-defined-attributes INTEGER ::= 4
> ub-domain-defined-attribute-type-length INTEGER ::= 8
> ub-domain-defined-attribute-value-length INTEGER ::= 128
> ub-domain-name-length INTEGER ::= 16
> ub-extension-attributes INTEGER ::= 256
> ub-e163-4-number-length INTEGER ::= 15
> ub-e163-4-sub-address-length INTEGER ::= 40
> ub-generation-qualifier-length INTEGER ::= 3
> ub-given-name-length INTEGER ::= 16
> ub-initials-length INTEGER ::= 5
> ub-integer-options INTEGER ::= 256
> ub-numeric-user-id-length INTEGER ::= 32
> ub-organization-name-length INTEGER ::= 64
> ub-organizational-unit-name-length INTEGER ::= 32
> ub-organizational-units INTEGER ::= 4
> ub-pds-name-length INTEGER ::= 16
> ub-pds-parameter-length INTEGER ::= 30
> ub-pds-physical-address-lines INTEGER ::= 6
> ub-postal-code-length INTEGER ::= 16
> ub-pseudonym INTEGER ::= 128
> ub-surname-length INTEGER ::= 40
> ub-terminal-id-length INTEGER ::= 24
> ub-unformatted-address-length INTEGER ::= 180
> ub-x121-address-length INTEGER ::= 16
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)