[jira] [Updated] (IGNITE-16496) SSLException: closing inbound before receiving peer's close_notify (TLS 1.2)

Tue, 08 Feb 2022 02:27:12 -0800 


     [ 
https://issues.apache.org/jira/browse/IGNITE-16496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexey Kukushkin updated IGNITE-16496:
--------------------------------------
    Summary: SSLException: closing inbound before receiving peer's close_notify 
(TLS 1.2)  (was: SSLException: closing inbound before receiving peer's 
close_notify (TLS 1.3))

> SSLException: closing inbound before receiving peer's close_notify (TLS 1.2)
> ----------------------------------------------------------------------------
>
>                 Key: IGNITE-16496
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16496
>             Project: Ignite
>          Issue Type: Bug
>    Affects Versions: 2.12
>            Reporter: Alexey Kukushkin
>            Priority: Major
>              Labels: cggg
>
> Ignite nodes output the warning below on startup when TLS protocol v1.3 is 
> used:
> {noformat}
> 2022-02-08 11:53:05.705  WARN 19384 --- [1:62095]-#4-#51] 
> o.a.i.spi.discovery.tcp.TcpDiscoverySpi  : Failed to shutdown socket: closing 
> inbound before receiving peer's close_notify
> javax.net.ssl.SSLException: closing inbound before receiving peer's 
> close_notify
>    at 
> java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:745)
>  ~[na:na]
>    at 
> java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:724)
>  ~[na:na]
>    at 
> org.apache.ignite.internal.util.IgniteUtils.close(IgniteUtils.java:4249) 
> ~[ignite-core-2.12.0.jar!/:2.12.0]
>    at 
> org.apache.ignite.spi.discovery.tcp.ServerImpl$SocketReader.body(ServerImpl.java:7370)
>  ~[ignite-core-2.12.0.jar!/:2.12.0]
>    at org.apache.ignite.spi.IgniteSpiThread.run(IgniteSpiThread.java:58) 
> ~[ignite-core-2.12.0.jar!/:2.12.0] {noformat}
> To reproduce the problem just start two server nodes with TLS v1.3 enabled 
> and the warnings will be printed in the log before the cluster is formed.
> h3. h3. Analysis
> The problem _probably_ happens due to  [this 
> code|https://github.com/apache/ignite/blob/2.12.0/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L4426]
>  calling {{Socket#shutdownInput()}} before receiving SSL {{close_notify}} 
> alert, which TLS 1.3 is expecting. I guess the right approach to close an SSL 
> socket is just calling {{Socke#close}}, which should properly wait/send a 
> {{close_notify}}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to