[
https://issues.apache.org/jira/browse/FLUME-2460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14129714#comment-14129714
]
li xiang commented on FLUME-2460:
---------------------------------
The fix could be that in
flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java, add
if...else statement to make it SunX509 when Sun JDK and IbmX509 when IBM JDK.
But this is not a good idea.
I have the following exception when fixing it as the logic mentioned above :
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.ibm.jsse2.j.a(j.java:4)
at com.ibm.jsse2.nc.a(nc.java:524)
at com.ibm.jsse2.ab.a(ab.java:166)
at com.ibm.jsse2.ab.a(ab.java:534)
at com.ibm.jsse2.bb.a(bb.java:587)
at com.ibm.jsse2.bb.a(bb.java:472)
at com.ibm.jsse2.ab.r(ab.java:489)
at com.ibm.jsse2.ab$1.a(ab$1.java:3)
at com.ibm.jsse2.ab$1.run(ab$1.java:1)
at
java.security.AccessController.doPrivileged(AccessController.java:366)
at com.ibm.jsse2.ab$c_.run(ab$c_.java:11)
at org.jboss.netty.handler.ssl.SslHandler$2.run(SslHandler.java:1258)
at
org.jboss.netty.handler.ssl.ImmediateExecutor.execute(ImmediateExecutor.java:31)
at
org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1255)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1140)
... 12 more
Caused by: com.ibm.jsse2.util.j: Certificate expired
at com.ibm.jsse2.util.i.b(i.java:175)
at com.ibm.jsse2.util.g.a(g.java:10)
at com.ibm.jsse2.yc.a(yc.java:141)
at com.ibm.jsse2.yc.a(yc.java:124)
at com.ibm.jsse2.yc.checkServerTrusted(yc.java:43)
at com.ibm.jsse2.bb.a(bb.java:231)
... 22 more
It is because IBM JDK is more strict than SUN JDK: IBM's JSSE implementation
verifies the entire server or client certificate chain, including trusted
certificates. For example, if a trusted certificate has expired, the handshake
fails, even though the expired certificate is trusted. Sun's JSSE verifies the
certificate chain up to the trusted certificate. Verification stops when it
reaches a trusted certificate and the trusted certificate and beyond are not
verified.
Unfortunately, the truststore.jks (in flume-ng-core/src/test/resources,
provided by FLUME-997 I think) has been expired, as the output by "keytool list"
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 1 entry
Alias name: localhost
Creation date: Feb 9, 2013
Entry type: trustedCertEntry
Owner: CN=localhost, OU=Flume, O=Apache Software Foundation, L=Bowie,
ST=Maryland, C=US
Issuer: CN=localhost, OU=Flume, O=Apache Software Foundation, L=Bowie,
ST=Maryland, C=US
Serial number: a28c9f2d19d171a5
Valid from: 2/9/13 5:06 AM until: 2/9/14 5:06 AM
Certificate fingerprints:
MD5: AC:A8:F8:BC:AA:D3:21:D6:B1:84:4D:76:CB:CC:E1:52
SHA1: 5E:99:BF:16:D9:2F:FE:D7:1B:A0:1D:A1:FB:55:EF:DE:19:65:D6:6B
SHA256:
D0:19:31:6E:8B:4E:33:DC:36:52:DB:0E:05:6F:97:C5:04:65:19:42:FE:DE:2B:8D:35:30:4D:A4:0A:A7:E9:BA
Signature algorithm name: SHA1withRSA
Version: 1
> Unit test TestAvroSink failed with IBM JDK 1.7
> ----------------------------------------------
>
> Key: FLUME-2460
> URL: https://issues.apache.org/jira/browse/FLUME-2460
> Project: Flume
> Issue Type: Bug
> Components: Sinks+Sources
> Affects Versions: v1.5.0.1
> Environment: IBM JDK 1.7
> Reporter: li xiang
> Assignee: li xiang
> Priority: Minor
> Fix For: v1.5.0.1, v1.6.0
>
>
> The following 3 java hard-codes "SunX509" as the trust manager, which is not
> friendly to other JDK
> (1) flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
> (2) flume-ng-core/src/test/java/org/apache/flume/sink/TestAvroSink.java
> (3) flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java
> And it results in "SunX509 TrustManagerFactory not available" when using JDK
> other than Sun's, as :
> java.security.NoSuchAlgorithmException: SunX509 TrustManagerFactory not
> available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:171)
> at
> javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:6)
> at
> org.apache.flume.api.NettyAvroRpcClient$SSLCompressionChannelFactory.newChannel(NettyAvroRpcClient.java:727)
> at
> org.apache.flume.api.NettyAvroRpcClient$SSLCompressionChannelFactory.newChannel(NettyAvroRpcClient.java:663)
> at
> org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:212)
> at
> org.jboss.netty.bootstrap.ClientBootstrap.connect(ClientBootstrap.java:182)
> at
> org.apache.avro.ipc.NettyTransceiver.getChannel(NettyTransceiver.java:266)
> at org.apache.avro.ipc.NettyTransceiver.<init>(NettyTransceiver.java:206)
> at org.apache.avro.ipc.NettyTransceiver.<init>(NettyTransceiver.java:155)
> at
> org.apache.flume.api.NettyAvroRpcClient.connect(NettyAvroRpcClient.java:164)
> at
> org.apache.flume.api.NettyAvroRpcClient.connect(NettyAvroRpcClient.java:118)
> at
> org.apache.flume.api.NettyAvroRpcClient.configure(NettyAvroRpcClient.java:624)
> at
> org.apache.flume.api.RpcClientFactory.getInstance(RpcClientFactory.java:88)
> at org.apache.flume.sink.AvroSink.initializeRpcClient(AvroSink.java:127)
> at
> org.apache.flume.sink.AbstractRpcSink.createConnection(AbstractRpcSink.java:211)
> at org.apache.flume.sink.AbstractRpcSink.start(AbstractRpcSink.java:292)
> at
> org.apache.flume.sink.TestAvroSink.testSslProcessWithTrustStore(TestAvroSink.java:417)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
