[
https://issues.apache.org/jira/browse/CASSANDRA-18624?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17745891#comment-17745891
]
Stefan Miklosovic commented on CASSANDRA-18624:
-----------------------------------------------
I gave it a Circle build and it fails a lot of tests, I dont know what is going
on and how to fix it yet, briefly looking into the logs I see errors like:
{code}
Caused by: java.lang.IllegalStateException: Can't load
com.amazon.corretto.crypto.provider.EcUtils$ECInfo. Instance class loader is
already closed.
at
org.apache.cassandra.distributed.shared.InstanceClassLoader.loadClassInternal(InstanceClassLoader.java:118)
at
org.apache.cassandra.distributed.shared.InstanceClassLoader.loadClass(InstanceClassLoader.java:112)
at com.amazon.corretto.crypto.provider.EcGen.<clinit>(EcGen.java:24)
... 46 common frames omitted
WARN [nioEventLoopGroup-5-2] node1 2023-07-22 10:27:21,898
ExceptionHandlers.java:139 - Unknown exception in client networking
java.lang.ExceptionInInitializerError: null
at sun.misc.Unsafe.allocateInstance(Native Method)
at
java.lang.invoke.DirectMethodHandle.allocateInstance(DirectMethodHandle.java:439)
at
com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider$ACCPService.newInstance(AmazonCorrettoCryptoProvider.java:276)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:227)
at sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:265)
at
sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:108)
at
sun.security.ssl.ECDHKeyExchange$ECDHEPossessionGenerator.createPossession(ECDHKeyExchange.java:230)
at
sun.security.ssl.SSLKeyExchange$T12KeyAgreement.createPossession(SSLKeyExchange.java:376)
at
sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:89)
at
sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:433)
at
sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
at
sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1009)
at
sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716)
at
sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:682)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
at
io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1557)
at
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1571)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1455)
at
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1282)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1329)
at
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
{code}
or
{code}
java.util.concurrent.ExecutionException: java.lang.NoClassDefFoundError: Could
not initialize class com.amazon.corretto.crypto.provider.EcGen
at io.netty.util.concurrent.DefaultPromise.get(DefaultPromise.java:350)
at
org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl$TlsConnection.lambda$connect$1(AbstractEncryptionOptionsImpl.java:217)
at
io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:578)
at
io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:552)
at
io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:491)
at
io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:616)
at
io.netty.util.concurrent.DefaultPromise.setFailure0(DefaultPromise.java:609)
at
io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:117)
at
io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1863)
at
io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1832)
at io.netty.handler.ssl.SslHandler.handshake(SslHandler.java:2055)
at
io.netty.handler.ssl.SslHandler.startHandshakeProcessing(SslHandler.java:1973)
at io.netty.handler.ssl.SslHandler.channelActive(SslHandler.java:2108)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at
io.netty.channel.ChannelInboundHandlerAdapter.channelActive(ChannelInboundHandlerAdapter.java:69)
at
org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl$TlsConnection$1.channelActive(AbstractEncryptionOptionsImpl.java:251)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at
io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895)
at
io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305)
at
io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335)
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:707)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.NoClassDefFoundError: Could not initialize class
com.amazon.corretto.crypto.provider.EcGen
at sun.misc.Unsafe.allocateInstance(Native Method)
at
java.lang.invoke.DirectMethodHandle.allocateInstance(DirectMethodHandle.java:439)
at
com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider$ACCPService.newInstance(AmazonCorrettoCryptoProvider.java:276)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:227)
at sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:265)
at
sun.security.ssl.ECDHKeyExchange$ECDHEPossession.<init>(ECDHKeyExchange.java:108)
at
sun.security.ssl.SSLKeyExchange$T13KeyAgreement.createPossession(SSLKeyExchange.java:612)
at
sun.security.ssl.SSLKeyExchange.createPossessions(SSLKeyExchange.java:89)
at
sun.security.ssl.KeyShareExtension$CHKeyShareProducer.produce(KeyShareExtension.java:263)
at sun.security.ssl.SSLExtension.produce(SSLExtension.java:562)
at sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at
sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:561)
at sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:510)
at
sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:112)
at
sun.security.ssl.TransportContext.kickstart(TransportContext.java:238)
at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
at io.netty.handler.ssl.SslHandler.handshake(SslHandler.java:2052)
... 24 common frames omitted
{code}
Also, I think that Corretto crypto provider is not fully functional, I see
exceptions like
{code}
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException:
No appropriate protocol (protocol is disabled or cipher suites are
inappropriate)
at io.netty.util.concurrent.DefaultPromise.get(DefaultPromise.java:350)
at
org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl$TlsConnection.lambda$connect$1(AbstractEncryptionOptionsImpl.java:217)
at
io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:578)
at
io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:552)
at
io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:491)
at
io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:616)
at
io.netty.util.concurrent.DefaultPromise.setFailure0(DefaultPromise.java:609)
at
io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:117)
at
io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1863)
at
io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1832)
at io.netty.handler.ssl.SslHandler.handshake(SslHandler.java:2055)
at
io.netty.handler.ssl.SslHandler.startHandshakeProcessing(SslHandler.java:1973)
at io.netty.handler.ssl.SslHandler.channelActive(SslHandler.java:2108)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at
io.netty.channel.ChannelInboundHandlerAdapter.channelActive(ChannelInboundHandlerAdapter.java:69)
at
org.apache.cassandra.distributed.test.AbstractEncryptionOptionsImpl$TlsConnection$1.channelActive(AbstractEncryptionOptionsImpl.java:251)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at
io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895)
at
io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305)
at
io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335)
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:707)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
(protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at
sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
at
sun.security.ssl.TransportContext.kickstart(TransportContext.java:227)
at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
at io.netty.handler.ssl.SslHandler.handshake(SslHandler.java:2052)
... 24 common frames omitted
{code}
I am not sure where to go from here. I could try to fix the failing tests
(first two exceptions) but when it comes to missing protocols, there is not a
lot I can do I guess.
I had this question in my mind for a long time - can we truly use this provider
as a drop-in replacement to what JRE supports? If one looks into what
algorithms are supported (2), I think this is basically a subset of what Java
offers. What if somebody uses ciphers which are not supported and we make this
the default? Not good ...
[~jwest] [~jolynch] thoughts?
(1)
[https://app.circleci.com/pipelines/github/instaclustr/cassandra/2766/workflows/055739cb-c49e-4655-b6cd-26b84651c04a]
(2)
[https://github.com/corretto/amazon-corretto-crypto-provider#supported-algorithms]
> Make Corretto Crypto Provider the Default
> -----------------------------------------
>
> Key: CASSANDRA-18624
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18624
> Project: Cassandra
> Issue Type: Improvement
> Components: Dependencies
> Reporter: Jordan West
> Assignee: Ayushi Singh
> Priority: Normal
> Attachments: image.png
>
> Time Spent: 13h 20m
> Remaining Estimate: 0h
>
> [Amazon Corretto Crypto Provider|
> https://github.com/corretto/amazon-corretto-crypto-provider] is an
> alternative provider of TLS and cryptographic functions that has significant
> performance benefits for Cassandra. It is Apache 2.0 licensed and has been
> deployed in several existing large fleets.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
