[
https://issues.apache.org/jira/browse/IGNITE-14789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mikhail Petrov updated IGNITE-14789:
------------------------------------
Description:
Thin client startup hangs if an error occur during SSL handshake.
The main reason -
Exception can be thrown during initial part of handshake from
javax.net.ssl.SSLEngine#beginHandshake that is called from GridNioSslHandler
constructor.
In this case SSL handler is not added to SSL meta.
And during GridNioSslFilter#onSessionClose the GridNioSslFilter#sslHandler
method will
throw IgniteException that remains unhandled.
That leads to AbstractNioClientWorker terminates abruptly and user thread hangs
with the following thread dump
{code:java}
"test-runner-#1%ignite.InvalidSslProtocolTest%" #12 prio=5 os_prio=0
tid=0x00007f4be0a0c800 nid=0xc5b3 waiting on condition [0x00007f4b779eb000]
java.lang.Thread.State: WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:304)
at
org.apache.ignite.internal.util.future.GridFutureAdapter.get0(GridFutureAdapter.java:178)
at
org.apache.ignite.internal.util.future.GridFutureAdapter.get(GridFutureAdapter.java:141)
at
org.apache.ignite.internal.client.thin.io.gridnioserver.GridNioClientConnectionMultiplexer.open(GridNioClientConnectionMultiplexer.java:136)
at
org.apache.ignite.internal.client.thin.TcpClientChannel.<init>(TcpClientChannel.java:166)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient$$Lambda$582/1885200808.apply(Unknown
Source)
at
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.getOrCreateChannel(ReliableChannel.java:877)
- locked <0x000000076e493918> (a
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder)
at
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.getOrCreateChannel(ReliableChannel.java:858)
at
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.access$400(ReliableChannel.java:807)
at
org.apache.ignite.internal.client.thin.ReliableChannel.applyOnDefaultChannel(ReliableChannel.java:739)
at
org.apache.ignite.internal.client.thin.ReliableChannel.applyOnDefaultChannel(ReliableChannel.java:712)
at
org.apache.ignite.internal.client.thin.ReliableChannel.channelsInit(ReliableChannel.java:683)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient.<init>(TcpIgniteClient.java:124)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient.<init>(TcpIgniteClient.java:101)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient.start(TcpIgniteClient.java:327)
at org.apache.ignite.Ignition.startClient(Ignition.java:612)
at
org.apache.ignite.InvalidSslProtocolTest.test(InvalidSslProtocolTest.java:33)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at
org.apache.ignite.testframework.junits.GridAbstractTest$7.run(GridAbstractTest.java:2432)
at java.lang.Thread.run(Thread.java:748)
{code}
Reproducer:
{code:java}
public class InvalidSslProtocolTest extends GridCommonAbstractTest {
/** {@inheritDoc} */
@Override protected IgniteConfiguration getConfiguration(String
igniteInstanceName) throws Exception {
IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
cfg.setClientConnectorConfiguration(new ClientConnectorConfiguration()
.setSslEnabled(true)
.setSslClientAuth(true)
.setUseIgniteSslContextFactory(false)
.setSslContextFactory(sslContextFactory("thinServer", "trusttwo",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2")));
return cfg;
}
/** */
@Test
public void test() throws Exception {
startGrid();
Ignition.startClient(new ClientConfiguration()
.setAddresses("127.0.0.1:10800")
.setSslMode(SslMode.REQUIRED)
.setSslContextFactory(sslContextFactory("thinClient", "trusttwo",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.1")));
}
/** */
private SslContextFactory sslContextFactory(String keyStore, String
trustStore, String cipherSuite, String protocol) {
SslContextFactory res = (SslContextFactory)sslTrustedFactory(keyStore,
trustStore);
res.setCipherSuites(cipherSuite);
res.setProtocols(protocol);
return res;
}
}
{code}
The mentioned issue also affects GridClient.
was:
Thin client startup hangs if SSL cipher suite version does not match the SSL
protocol version.
The main reason -
Exception that throws during thin client connection process (see
IgniteException in
org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter#sslHandler) remains
unhandled
That leads to AbstractNioClientWorker terminates abruptly and user thread hangs
with the following thread dump
{code:java}
"test-runner-#1%ignite.InvalidSslProtocolTest%" #12 prio=5 os_prio=0
tid=0x00007f4be0a0c800 nid=0xc5b3 waiting on condition [0x00007f4b779eb000]
java.lang.Thread.State: WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:304)
at
org.apache.ignite.internal.util.future.GridFutureAdapter.get0(GridFutureAdapter.java:178)
at
org.apache.ignite.internal.util.future.GridFutureAdapter.get(GridFutureAdapter.java:141)
at
org.apache.ignite.internal.client.thin.io.gridnioserver.GridNioClientConnectionMultiplexer.open(GridNioClientConnectionMultiplexer.java:136)
at
org.apache.ignite.internal.client.thin.TcpClientChannel.<init>(TcpClientChannel.java:166)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient$$Lambda$582/1885200808.apply(Unknown
Source)
at
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.getOrCreateChannel(ReliableChannel.java:877)
- locked <0x000000076e493918> (a
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder)
at
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.getOrCreateChannel(ReliableChannel.java:858)
at
org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.access$400(ReliableChannel.java:807)
at
org.apache.ignite.internal.client.thin.ReliableChannel.applyOnDefaultChannel(ReliableChannel.java:739)
at
org.apache.ignite.internal.client.thin.ReliableChannel.applyOnDefaultChannel(ReliableChannel.java:712)
at
org.apache.ignite.internal.client.thin.ReliableChannel.channelsInit(ReliableChannel.java:683)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient.<init>(TcpIgniteClient.java:124)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient.<init>(TcpIgniteClient.java:101)
at
org.apache.ignite.internal.client.thin.TcpIgniteClient.start(TcpIgniteClient.java:327)
at org.apache.ignite.Ignition.startClient(Ignition.java:612)
at
org.apache.ignite.InvalidSslProtocolTest.test(InvalidSslProtocolTest.java:33)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at
org.apache.ignite.testframework.junits.GridAbstractTest$7.run(GridAbstractTest.java:2432)
at java.lang.Thread.run(Thread.java:748)
{code}
Reproducer (note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is not used by TLS
1.1)
{code:java}
public class InvalidSslProtocolTest extends GridCommonAbstractTest {
/** {@inheritDoc} */
@Override protected IgniteConfiguration getConfiguration(String
igniteInstanceName) throws Exception {
IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
cfg.setClientConnectorConfiguration(new ClientConnectorConfiguration()
.setSslEnabled(true)
.setSslClientAuth(true)
.setUseIgniteSslContextFactory(false)
.setSslContextFactory(sslContextFactory("thinServer", "trusttwo",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2")));
return cfg;
}
/** */
@Test
public void test() throws Exception {
startGrid();
Ignition.startClient(new ClientConfiguration()
.setAddresses("127.0.0.1:10800")
.setSslMode(SslMode.REQUIRED)
.setSslContextFactory(sslContextFactory("thinClient", "trusttwo",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.1")));
}
/** */
private SslContextFactory sslContextFactory(String keyStore, String
trustStore, String cipherSuite, String protocol) {
SslContextFactory res = (SslContextFactory)sslTrustedFactory(keyStore,
trustStore);
res.setCipherSuites(cipherSuite);
res.setProtocol(protocol);
return res;
}
}
{code}
Summary: Thin client startup hangs if an error occur during SSL
handshake (was: Thin client startup hangs if SSL cipher suite version does not
match the SSL protocol version.)
> Thin client startup hangs if an error occur during SSL handshake
> ----------------------------------------------------------------
>
> Key: IGNITE-14789
> URL: https://issues.apache.org/jira/browse/IGNITE-14789
> Project: Ignite
> Issue Type: Bug
> Reporter: Mikhail Petrov
> Priority: Major
>
> Thin client startup hangs if an error occur during SSL handshake.
> The main reason -
> Exception can be thrown during initial part of handshake from
> javax.net.ssl.SSLEngine#beginHandshake that is called from GridNioSslHandler
> constructor.
> In this case SSL handler is not added to SSL meta.
> And during GridNioSslFilter#onSessionClose the GridNioSslFilter#sslHandler
> method will
> throw IgniteException that remains unhandled.
> That leads to AbstractNioClientWorker terminates abruptly and user thread
> hangs with the following thread dump
> {code:java}
> "test-runner-#1%ignite.InvalidSslProtocolTest%" #12 prio=5 os_prio=0
> tid=0x00007f4be0a0c800 nid=0xc5b3 waiting on condition [0x00007f4b779eb000]
> java.lang.Thread.State: WAITING (parking)
> at sun.misc.Unsafe.park(Native Method)
> at java.util.concurrent.locks.LockSupport.park(LockSupport.java:304)
> at
> org.apache.ignite.internal.util.future.GridFutureAdapter.get0(GridFutureAdapter.java:178)
> at
> org.apache.ignite.internal.util.future.GridFutureAdapter.get(GridFutureAdapter.java:141)
> at
> org.apache.ignite.internal.client.thin.io.gridnioserver.GridNioClientConnectionMultiplexer.open(GridNioClientConnectionMultiplexer.java:136)
> at
> org.apache.ignite.internal.client.thin.TcpClientChannel.<init>(TcpClientChannel.java:166)
> at
> org.apache.ignite.internal.client.thin.TcpIgniteClient$$Lambda$582/1885200808.apply(Unknown
> Source)
> at
> org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.getOrCreateChannel(ReliableChannel.java:877)
> - locked <0x000000076e493918> (a
> org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder)
> at
> org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.getOrCreateChannel(ReliableChannel.java:858)
> at
> org.apache.ignite.internal.client.thin.ReliableChannel$ClientChannelHolder.access$400(ReliableChannel.java:807)
> at
> org.apache.ignite.internal.client.thin.ReliableChannel.applyOnDefaultChannel(ReliableChannel.java:739)
> at
> org.apache.ignite.internal.client.thin.ReliableChannel.applyOnDefaultChannel(ReliableChannel.java:712)
> at
> org.apache.ignite.internal.client.thin.ReliableChannel.channelsInit(ReliableChannel.java:683)
> at
> org.apache.ignite.internal.client.thin.TcpIgniteClient.<init>(TcpIgniteClient.java:124)
> at
> org.apache.ignite.internal.client.thin.TcpIgniteClient.<init>(TcpIgniteClient.java:101)
> at
> org.apache.ignite.internal.client.thin.TcpIgniteClient.start(TcpIgniteClient.java:327)
> at org.apache.ignite.Ignition.startClient(Ignition.java:612)
> at
> org.apache.ignite.InvalidSslProtocolTest.test(InvalidSslProtocolTest.java:33)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
> at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
> at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
> at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
> at
> org.apache.ignite.testframework.junits.GridAbstractTest$7.run(GridAbstractTest.java:2432)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> Reproducer:
> {code:java}
> public class InvalidSslProtocolTest extends GridCommonAbstractTest {
> /** {@inheritDoc} */
> @Override protected IgniteConfiguration getConfiguration(String
> igniteInstanceName) throws Exception {
> IgniteConfiguration cfg = super.getConfiguration(igniteInstanceName);
> cfg.setClientConnectorConfiguration(new ClientConnectorConfiguration()
> .setSslEnabled(true)
> .setSslClientAuth(true)
> .setUseIgniteSslContextFactory(false)
> .setSslContextFactory(sslContextFactory("thinServer", "trusttwo",
> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.2")));
> return cfg;
> }
> /** */
> @Test
> public void test() throws Exception {
> startGrid();
> Ignition.startClient(new ClientConfiguration()
> .setAddresses("127.0.0.1:10800")
> .setSslMode(SslMode.REQUIRED)
> .setSslContextFactory(sslContextFactory("thinClient", "trusttwo",
> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLSv1.1")));
> }
> /** */
> private SslContextFactory sslContextFactory(String keyStore, String
> trustStore, String cipherSuite, String protocol) {
> SslContextFactory res =
> (SslContextFactory)sslTrustedFactory(keyStore, trustStore);
> res.setCipherSuites(cipherSuite);
> res.setProtocols(protocol);
> return res;
> }
> }
> {code}
> The mentioned issue also affects GridClient.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
