[
https://issues.apache.org/jira/browse/CASSANDRA-19508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17833720#comment-17833720
]
Mohammad Aburadeh commented on CASSANDRA-19508:
-----------------------------------------------
Hi [~jonmeredith] ,
We have been enabling DEBUG logging for several years, it's helpful for us to
investigate in case of any issue.
After, we upgraded to Cassandra 4., we started seeing tons of strange messages
and this is causing two problems:
1- log files are getting full very fast, we usually keep the last 10 log files
( for around 1 week) but now, the log files are rotated many times per day.
This is because our connection to Cassandra are for a short time ( less than 2
seconds).
2- Performance impact due to printing many many messages to the log file.
If you think that it might be needed for migrations, then I would suggest
printing these msgs in TRACE, not DEBUG.
Please let me know what you think.
> Getting tons of msgs "Failed to get peer certificates for peer
> /x.x.x.x:45796" when require_client_auth is set to false
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-19508
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19508
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: Mohammad Aburadeh
> Assignee: Mohammad Aburadeh
> Priority: Urgent
> Fix For: 4.0.x, 4.1.x, 5.0.x, 5.x
>
>
> We recently upgraded our production clusters from 3.11.15 to 4.1.4. We
> started seeing thousands of msgs "Failed to get peer certificates for peer
> /x.x.x.x:45796". SSL is enabled but require_client_auth is disabled. This is
> causing a huge problem for us because cassandra log files are growing very
> fast as our connections are short live connections, we open more than 1K
> connections per second and they stay live for 1-2 seconds.
> {code:java}
> DEBUG [Native-Transport-Requests-2] 2024-03-31 21:26:38,026
> ServerConnection.java:140 - Failed to get peer certificates for peer
> /172.31.2.23:45796
> javax.net.ssl.SSLPeerUnverifiedException: peer not verified
> at
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine$DefaultOpenSslSession.getPeerCertificateChain(ReferenceCountedOpenSslEngine.java:2414)
> at
> io.netty.handler.ssl.ExtendedOpenSslSession.getPeerCertificateChain(ExtendedOpenSslSession.java:140)
> at
> org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:136)
> at
> org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:120)
> at
> org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:76)
> at
> org.apache.cassandra.transport.Message$Request.execute(Message.java:255)
> at
> org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:166)
> at
> org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:185)
> at
> org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:212)
> at
> org.apache.cassandra.transport.Dispatcher$RequestProcessor.run(Dispatcher.java:109)
> at
> org.apache.cassandra.concurrent.FutureTask$1.call(FutureTask.java:96)
> at org.apache.cassandra.concurrent.FutureTask.call(FutureTask.java:61)
> at org.apache.cassandra.concurrent.FutureTask.run(FutureTask.java:71)
> at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:142)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> {code}
> *Our SSL config:*
> {code:java}
> client_encryption_options:
> enabled: true
> keystore: /path/to/keystore
> keystore_password: xxxxx
> optional: false
> require_client_auth: false {code}
>
> We should stop throwing this msg when require_client_auth is set to false. Or
> at least it should be logged in TRACE not DEBUG.
> I'm working on preparing a PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
