[
https://issues.apache.org/jira/browse/IGNITE-16496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Kukushkin updated IGNITE-16496:
--------------------------------------
Description:
Ignite nodes output the warning below on startup when TLS protocol v1.2 is used:
{noformat}
2022-02-08 11:53:05.705 WARN 19384 --- [1:62095]-#4-#51]
o.a.i.spi.discovery.tcp.TcpDiscoverySpi : Failed to shutdown socket: closing
inbound before receiving peer's close_notify
javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify
at
java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:745)
~[na:na]
at
java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:724)
~[na:na]
at org.apache.ignite.internal.util.IgniteUtils.close(IgniteUtils.java:4249)
~[ignite-core-2.12.0.jar!/:2.12.0]
at
org.apache.ignite.spi.discovery.tcp.ServerImpl$SocketReader.body(ServerImpl.java:7370)
~[ignite-core-2.12.0.jar!/:2.12.0]
at org.apache.ignite.spi.IgniteSpiThread.run(IgniteSpiThread.java:58)
~[ignite-core-2.12.0.jar!/:2.12.0] {noformat}
To reproduce the problem just start two server nodes with TLS v1.3 enabled and
the warnings will be printed in the log before the cluster is formed.
h3. Analysis
The problem _probably_ happens due to [this
code|https://github.com/apache/ignite/blob/2.12.0/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L4426]
calling {{Socket#shutdownInput()}} before receiving SSL {{close_notify}}
alert, which TLS 1.2 is expecting (see [RFC
8446|https://datatracker.ietf.org/doc/html/rfc8446#section-6]). I guess the
right approach to close an SSL socket is just calling {{Socke#close}}, which
should properly wait/send a {{close_notify}}
Some references to consider:
[JDK-8215102 Closing connection to Mysql database results in
exception|https://bugs.openjdk.java.net/browse/JDK-8215102]
[Fix for #93590 - ignore javax.net.ssl.SSLException: closing inbound before
receiving peer's close_notify on
java11+|https://github.com/mysql/mysql-connector-j/pull/32]
[JDK-8251553 Socket closure issues in migrating from JDK 8 to JDK
11|https://bugs.openjdk.java.net/browse/JDK-8251553]
was:
Ignite nodes output the warning below on startup when TLS protocol v1.2 is used:
{noformat}
2022-02-08 11:53:05.705 WARN 19384 --- [1:62095]-#4-#51]
o.a.i.spi.discovery.tcp.TcpDiscoverySpi : Failed to shutdown socket: closing
inbound before receiving peer's close_notify
javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify
at
java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:745)
~[na:na]
at
java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:724)
~[na:na]
at org.apache.ignite.internal.util.IgniteUtils.close(IgniteUtils.java:4249)
~[ignite-core-2.12.0.jar!/:2.12.0]
at
org.apache.ignite.spi.discovery.tcp.ServerImpl$SocketReader.body(ServerImpl.java:7370)
~[ignite-core-2.12.0.jar!/:2.12.0]
at org.apache.ignite.spi.IgniteSpiThread.run(IgniteSpiThread.java:58)
~[ignite-core-2.12.0.jar!/:2.12.0] {noformat}
To reproduce the problem just start two server nodes with TLS v1.3 enabled and
the warnings will be printed in the log before the cluster is formed.
h3. h3. Analysis
The problem _probably_ happens due to [this
code|https://github.com/apache/ignite/blob/2.12.0/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L4426]
calling {{Socket#shutdownInput()}} before receiving SSL {{close_notify}}
alert, which TLS 1.2 is expecting (see [RFC
8446|https://datatracker.ietf.org/doc/html/rfc8446#section-6]). I guess the
right approach to close an SSL socket is just calling {{Socke#close}}, which
should properly wait/send a {{close_notify}}
> SSLException: closing inbound before receiving peer's close_notify
> ------------------------------------------------------------------
>
> Key: IGNITE-16496
> URL: https://issues.apache.org/jira/browse/IGNITE-16496
> Project: Ignite
> Issue Type: Bug
> Affects Versions: 2.12
> Reporter: Alexey Kukushkin
> Priority: Major
> Labels: cggg
>
> Ignite nodes output the warning below on startup when TLS protocol v1.2 is
> used:
> {noformat}
> 2022-02-08 11:53:05.705 WARN 19384 --- [1:62095]-#4-#51]
> o.a.i.spi.discovery.tcp.TcpDiscoverySpi : Failed to shutdown socket: closing
> inbound before receiving peer's close_notify
> javax.net.ssl.SSLException: closing inbound before receiving peer's
> close_notify
> at
> java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:745)
> ~[na:na]
> at
> java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:724)
> ~[na:na]
> at
> org.apache.ignite.internal.util.IgniteUtils.close(IgniteUtils.java:4249)
> ~[ignite-core-2.12.0.jar!/:2.12.0]
> at
> org.apache.ignite.spi.discovery.tcp.ServerImpl$SocketReader.body(ServerImpl.java:7370)
> ~[ignite-core-2.12.0.jar!/:2.12.0]
> at org.apache.ignite.spi.IgniteSpiThread.run(IgniteSpiThread.java:58)
> ~[ignite-core-2.12.0.jar!/:2.12.0] {noformat}
> To reproduce the problem just start two server nodes with TLS v1.3 enabled
> and the warnings will be printed in the log before the cluster is formed.
> h3. Analysis
> The problem _probably_ happens due to [this
> code|https://github.com/apache/ignite/blob/2.12.0/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L4426]
> calling {{Socket#shutdownInput()}} before receiving SSL {{close_notify}}
> alert, which TLS 1.2 is expecting (see [RFC
> 8446|https://datatracker.ietf.org/doc/html/rfc8446#section-6]). I guess the
> right approach to close an SSL socket is just calling {{Socke#close}}, which
> should properly wait/send a {{close_notify}}
> Some references to consider:
> [JDK-8215102 Closing connection to Mysql database results in
> exception|https://bugs.openjdk.java.net/browse/JDK-8215102]
> [Fix for #93590 - ignore javax.net.ssl.SSLException: closing inbound before
> receiving peer's close_notify on
> java11+|https://github.com/mysql/mysql-connector-j/pull/32]
> [JDK-8251553 Socket closure issues in migrating from JDK 8 to JDK
> 11|https://bugs.openjdk.java.net/browse/JDK-8251553]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
