[jira] [Created] (GEODE-10066) SSL handshake failures on 1 locator prevents connection pool from trying other locators

Fri, 18 Feb 2022 16:08:05 -0800 

Jacob Barrett created GEODE-10066:
-------------------------------------

             Summary: SSL handshake failures on 1 locator prevents connection 
pool from trying other locators
                 Key: GEODE-10066
                 URL: https://issues.apache.org/jira/browse/GEODE-10066
             Project: Geode
          Issue Type: Bug
          Components: client/server
            Reporter: Jacob Barrett


If an {{SSLException}} is thrown when handshaking with a locator the exception 
is wrapped in an {{IllegalStateException}} that is not caught by the connection 
pool, the stack is blown, and no connections can be established. If not wrapped 
the connection pool will properly try the next locator.

The {{SSLExceptions}} are wrapped in at least {{TcpClient.getServerVersion()}} 
but other locations may exist in this path. This method throws {{IOException}} 
and the {{SSLExceptions}} extend {{IOExceptions}} so they should not be 
wrapped. It probably makes sense to split the concern of socket connection from 
determining the server version in {{TcpClient.getServerVersion()}}.

{noformat}
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
No subject alternative names matching IP address 10.2.8.12 found
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at 
org.apache.geode.internal.net.SocketCreator.configureClientSSLSocket(SocketCreator.java:594)
        at 
org.apache.geode.internal.net.SCAdvancedSocketCreator.connect(SCAdvancedSocketCreator.java:83)
        at 
org.apache.geode.distributed.internal.tcpserver.ClusterSocketCreatorImpl.connect(ClusterSocketCreatorImpl.java:96)
        at 
org.apache.geode.distributed.internal.tcpserver.TcpClient.getServerVersion(TcpClient.java:246)
        at 
org.apache.geode.distributed.internal.tcpserver.TcpClient.requestToServer(TcpClient.java:151)
        at 
org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.queryOneLocatorUsingConnection(AutoConnectionSourceImpl.java:227)
        at 
org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.queryOneLocator(AutoConnectionSourceImpl.java:217)
        at 
org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.queryLocators(AutoConnectionSourceImpl.java:264)
        at 
org.apache.geode.cache.client.internal.AutoConnectionSourceImpl.findServer(AutoConnectionSourceImpl.java:176)
        at 
org.apache.geode.cache.client.internal.ConnectionFactoryImpl.createClientToServerConnection(ConnectionFactoryImpl.java:211)
        at 
org.apache.geode.cache.client.internal.pooling.ConnectionManagerImpl.createPooledConnection(ConnectionManagerImpl.java:196)
        at 
org.apache.geode.cache.client.internal.pooling.ConnectionManagerImpl.createPooledConnection(ConnectionManagerImpl.java:190)
        at 
org.apache.geode.cache.client.internal.pooling.ConnectionManagerImpl.borrowConnection(ConnectionManagerImpl.java:282)
        at 
org.apache.geode.cache.client.internal.PoolImpl.acquireConnection(PoolImpl.java:940)
        at 
org.apache.geode.cache.wan.internal.GatewaySenderEventRemoteDispatcher.initializeConnection(GatewaySenderEventRemoteDispatcher.java:464)
        at 
org.apache.geode.cache.wan.internal.GatewaySenderEventRemoteDispatcher.<init>(GatewaySenderEventRemoteDispatcher.java:105)
        at 
org.apache.geode.cache.wan.internal.parallel.RemoteParallelGatewaySenderEventProcessor.initializeEventDispatcher(RemoteParallelGatewaySenderEventProcessor.java:66)
        at 
org.apache.geode.internal.cache.wan.AbstractGatewaySenderEventProcessor.setRunningStatus(AbstractGatewaySenderEventProcessor.java:1107)
        at 
org.apache.geode.internal.cache.wan.AbstractGatewaySenderEventProcessor.run(AbstractGatewaySenderEventProcessor.java:1081)
Caused by: java.security.cert.CertificateException: No subject alternative 
names matching IP address 10.2.8.12 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
        at 
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
        at 
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:428)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:209)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at 
org.apache.geode.internal.net.filewatch.FileWatchingX509ExtendedTrustManager.checkServerTrusted(FileWatchingX509ExtendedTrustManager.java:130)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
        ... 26 more
{noformat}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to