[
https://issues.apache.org/jira/browse/CASSANDRA-21441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087602#comment-18087602
]
Dmitry Konstantinov commented on CASSANDRA-21441:
-------------------------------------------------
A root cause analysis using Claude:
What happened: the 22.04 image ships a newer OpenJDK package, and it crossed
the threshold where OpenJDK flipped a default. Endpoint identification was
enabled by default for RMI connections over TLS — connections using
{{javax.rmi.ssl.SslRMIClientSocketFactory}} now have TLS endpoint
identification enabled by default, which may cause previously-working TLS
connections to fail. This landed across all the lines (JDK-8341496): 8u481,
11.0.30, 17.0.18, and 21.0.10. Your trace is exactly that path: nodetool's JMX
client → {{SslRMIClientSocketFactory}} → {{X509TrustManagerImpl.checkIdentity}}
→ {{HostnameChecker.matchDNS}} → "No name matching localhost found." Previously
the RMI SSL socket did no hostname check at all, so a cert with no
{{localhost}} in its SAN/CN sailed through; now it's verified and rejected.
[Oracle +
4|https://www.oracle.com/java/technologies/javase/11-0-30-relnotes.html]
So the root cause is your dtest JMX *server* cert (the one presented on
{{{}localhost:7100{}}}, from the node's keystore — not the {{truststore.jks}}
you're passing, which is just the trust anchor) has no SAN/CN matching
{{{}localhost{}}}. DataStax flagged the IP-address variant of this same
regression in production tooling earlier this year: after updating to Java
8u481 / 11.0.30 or newer, nodetool and dsetool fail with "No subject
alternative names matching IP address 127.0.0.1 found," because TLS endpoint
identification for RMI connections changed from disabled to enabled by default.
[IBM|https://www.ibm.com/support/pages/nodetool-returns-certificateexception-no-subject-alternative-names-matching-ip-address-127001-after-upgrading-java-runtime]
> TLS/SSL related tests are failing
> ---------------------------------
>
> Key: CASSANDRA-21441
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21441
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Test/unit
> Reporter: Dmitry Konstantinov
> Priority: Normal
>
> A set of TLS-related tests has started to fail in trunk on ci and pre-ci:
> Tests / dtest-latest jdk17 16/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-latest jdk21 16/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-latest jdk11 16/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-latest jdk21 17/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-latest jdk17 17/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-latest jdk11 17/64 /
> dtest-latest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-novnode jdk11 22/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-novnode jdk21 22/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-novnode jdk17 22/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest-novnode jdk21 23/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-novnode jdk17 23/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest-novnode jdk11 23/64 /
> dtest-novnode.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest jdk11 16/64 / dtest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest jdk17 16/64 / dtest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest jdk21 16/64 / dtest.jmx_test.TestJMXSSL.test_jmx_connection
> Tests / dtest jdk17 17/64 / dtest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest jdk11 17/64 / dtest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / dtest jdk21 17/64 / dtest.jmx_test.TestJMXSSL.test_require_client_auth
> Tests / jvm-dtest jdk11 7/16 /
> org.apache.cassandra.distributed.test.SSTableLoaderEncryptionOptionsTest.bulkLoaderSuccessfullyStreamsOverSsl-_jdk11_x86_64
> Tests / jvm-dtest jdk17 7/16 /
> org.apache.cassandra.distributed.test.SSTableLoaderEncryptionOptionsTest.bulkLoaderSuccessfullyStreamsOverSsl-_jdk17_x86_64
> Tests / jvm-dtest jdk21 7/16 /
> org.apache.cassandra.distributed.test.SSTableLoaderEncryptionOptionsTest.bulkLoaderSuccessfullyStreamsOverSsl-_jdk21_x86_64
> Tests / jvm-dtest jdk17 13/16 /
> org.apache.cassandra.distributed.test.auth.AuthAuditLoggingTest.testMutualTlsAuthenticationFailedWithUntrustedCertificate-_jdk17_x86_64
> Tests / jvm-dtest jdk21 13/16 /
> org.apache.cassandra.distributed.test.auth.AuthAuditLoggingTest.testMutualTlsAuthenticationFailedWithUntrustedCertificate-_jdk21_x86_64
> Tests / jvm-dtest jdk11 2/16 /
> org.apache.cassandra.distributed.test.jmx.JMXSslConfigDistributedTest.testSystemSettings-_jdk11_x86_64
> Tests / jvm-dtest jdk17 2/16 /
> org.apache.cassandra.distributed.test.jmx.JMXSslConfigDistributedTest.testSystemSettings-_jdk17_x86_64
> Tests / jvm-dtest jdk21 2/16 /
> org.apache.cassandra.distributed.test.jmx.JMXSslConfigDistributedTest.testSystemSettings-_jdk21_x86_64
> Example: https://ci-cassandra.apache.org/job/Cassandra-trunk/2506/testReport/j
> Test errors include:
> {code}
> Caused by: java.security.cert.CertificateException: No name matching
> localhost found
> at
> java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:234)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:467)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:433)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
> at
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1278)
> ... 36 more
> {code}
> {code}
> Caused by: java.security.cert.CertificateException: No subject alternative
> names present
> at
> java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:461)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:435)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
> at
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1350)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
