[jira] [Commented] (IGNITE-22605) Wrong certificate chain might lead to split brain

Tue, 16 Jul 2024 08:30:06 -0700 


    [ 
https://issues.apache.org/jira/browse/IGNITE-22605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17866435#comment-17866435
 ] 

Ignite TC Bot commented on IGNITE-22605:
----------------------------------------

{panel:title=Branch: [pull/11415/head] Base: [master] : No blockers 
found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#D6F7C1}{panel}
{panel:title=Branch: [pull/11415/head] Base: [master] : No new tests 
found!|borderStyle=dashed|borderColor=#ccc|titleBGColor=#F7D6C1}{panel}
[TeamCity *--> Run :: All* 
Results|https://ci2.ignite.apache.org/viewLog.html?buildId=7985208&buildTypeId=IgniteTests24Java8_RunAll]

> Wrong certificate chain might lead to split brain
> -------------------------------------------------
>
>                 Key: IGNITE-22605
>                 URL: https://issues.apache.org/jira/browse/IGNITE-22605
>             Project: Ignite
>          Issue Type: Bug
>            Reporter: Maksim Timonin
>            Assignee: Maksim Timonin
>            Priority: Major
>              Labels: ise
>             Fix For: 2.17
>
>
> There is a flaky test, it actually fails due to the bug.
> {code:java}
> TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
> Test scenario is as follows:
>  # Start node A
>  # Try start node B with mismatching certificates
>  # Node B doesn't fail but starts new topology.
> Logic that leads to the error:
>  # Node A started - create topology from single node.
>  # Node B is starting. Node B opens socket to node A
>  # Node B writes {{IGNITE_HEADER}} to the socket.
>  # Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send 
> {{TcpDiscoveryHandshakeRequest}}
>  # Node A receives the {{{}IGNITE_HEADER{}}}, fails on SSL handshake, closes 
> the connection with SSL error, and doesn't receive 
> {{TcpDiscoveryHandshakeRequest}}
>  # Node B doesn't check any ack for {{IGNITE_HEADER and get error "socket 
> closed" for writing TcpDiscoveryHandshakeRequest}}
>  # Node B decides that node A doesn't exist and creates own topology
> Proposal fix: In case of SSL enabled and socket failure, Node B should check 
> the input stream after sending {{IGNITE_HEADER }}and 
> TcpDiscoveryHandshakeRequest.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to