Hi Nadeem, How many S2S clients are connecting to your NiFi? And how many NiFi nodes does your remote NiFi have?
I've encountered the same error message when I conducted a test using hundreds of S2S client connecting to a single NiFi node. It happened in a situation like followings: 1. A S2S client connects to the NiFi node 2. The NiFi node accepts the connection, spawns new thread to process further communication [Site-to-Site Worker Thread-N] 3. But the NiFi node is not able to process incoming connections fast enough, and when the node starts SSL hand-shake process, the client has already disconnected. In my case, setting longer timeout at S2S clients helped accepting more concurrent connections. But also this can be an indication suggesting the need of having more nodes (if the message is logged from the similar situation with mine). Another possibility is as the message says, a malicious user is actually sending SSL truncation attack. Thanks, Koji On Fri, Mar 1, 2019 at 1:19 AM Mohammed Nadeem <[email protected]> wrote: > > Hi, > > Can someone please help me resolving SSLHandshake issue (Site-to-Site) which > I'm getting in logs. This ERROR doesn't impact us from accessing the NiFi > canvas or any calls we make from Nifi components (like SSL Context Service). > This is something which keeps on throwing every now and then in > nifi-app.logs > > Below, is the error we get in the logs > > ERROR [Site-to-Site Worker Thread-138] > o.a.n.r.io.socket.ssl.SSLSocketChannel > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel@938965a Failed to > connect due to {} > javax.net.ssl.SSLHandshakeException: Reached End-of-File marker while > performing handshake > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:248) > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:163) > at > org.apache.nifi.remote.SocketRemoteSiteListener$1$1.run(SocketRemoteSiteListener.java:168) > at java.lang.Thread.run(Thread.java:748) > > ERROR [Site-to-Site Worker Thread-138] > o.a.nifi.remote.SocketRemoteSiteListener RemoteSiteListener Unable to accept > connection from Socket[unconnected] due to javax.net.ssl.SSLException: > Inbound closed before receiving peer's close_notify: possible truncation > attack? > > Setup, > CA Server is running on separate host ( eg, ca_server_host ) which generates > self-signed certificates > Each Nifi instance calls CA to get the keystore, trustore etc like the > necessary certs > > Please help me understand the issue, I have gone through many resources > online but I wasn't able to resolve, > > Thanks, > Nadeem > > > > -- > Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
