[GitHub] [pulsar] surendra-k opened a new issue #6821: Pulsar+SSL Java client issue (TLS encryption) via Nginx

[GitBox]

surendra-k opened a new issue #6821:
URL: https://github.com/apache/pulsar/issues/6821


   #### Expected behavior
   Should be able to connect to pulsar+ssl proxy and create producer/consumer 
   
   #### Actual behavior
   Environment: Java8, pulsar-java-client, mac 10.14.6
   Pulsar setup: Pulsar cluster is running behind Nginx Proxy, Java client 
tries to connect pulsar via Nginx using binary protocol 'pulsar+ssl'
   failing with following error
   ```
   Caused by: java.lang.IllegalArgumentException: port out of range:-1
        at java.net.InetSocketAddress.checkPort(InetSocketAddress.java:143)
        at 
java.net.InetSocketAddress.createUnresolved(InetSocketAddress.java:254)
        at 
org.apache.pulsar.client.impl.BinaryProtoLookupService.lambda$null$2(BinaryProtoLookupService.java:109)
   pulsar-client-io-1-1, SEND TLSv1.2 ALERT:  warning, description = 
close_notify
   Padded plaintext before ENCRYPTION:  len = 2
   0000: 01 00                                              ..
   pulsar-client-io-1-1, WRITE: TLSv1.2 Alert, length = 26
   pulsar-client-io-1-1, called closeInbound()
   pulsar-client-io-1-1, fatal error: 80: Inbound closed before receiving 
peer's close_notify: possible truncation attack?
   javax.net.ssl.SSLException: Inbound closed before receiving peer's 
close_notify: possible truncation attack?
   %% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
   pulsar-client-io-1-1, SEND TLSv1.2 ALERT:  fatal, description = 
internal_error
   pulsar-client-io-1-1, Exception sending alert: java.io.IOException: writer 
side was already closed.
   ```
   TLS certificate has following info:
   ```
   New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   No ALPN negotiated
   SSL-Session:
       Protocol  : TLSv1.2
       Cipher    : ECDHE-RSA-AES256-GCM-SHA384
   ```
   Is issue with cipher ? Certificate has AES256-GCM and Java client is using 
AES128-GCM, i tried importing unlimited JCE policy jars and switching to Bouncy 
castle, issues still exists
   #### Steps to reproduce
   Java client connecting to proxy with binary protocol 'pulsar+ssl'
   code:
   ```
               client = PulsarClient.builder()
                       .serviceUrl("pulsar+ssl://{nginx_url}:6651")
                       .build();
               
   
               strProducer = client.newProducer(Schema.STRING)
                       .topic(TOPIC_NAME)
                       .create();
   
   ```
   #### System configuration
   **Pulsar version**: 2.5
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org