[ https://issues.apache.org/jira/browse/IGNITE-22605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nikita Amelchev updated IGNITE-22605: ------------------------------------- Release Note: Added check for SSL errors on TcpDiscovery writing failures > Wrong certificate chain might lead to split brain > ------------------------------------------------- > > Key: IGNITE-22605 > URL: https://issues.apache.org/jira/browse/IGNITE-22605 > Project: Ignite > Issue Type: Bug > Reporter: Maksim Timonin > Assignee: Maksim Timonin > Priority: Major > Labels: ise > Fix For: 2.17 > > Time Spent: 10m > Remaining Estimate: 0h > > There is a flaky test, it actually fails due to the bug. > {code:java} > TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code} > Test scenario is as follows: > # Start node A > # Try start node B with mismatching certificates > # Node B doesn't fail but starts new topology. > Logic that leads to the error: > # Node A started - create topology from single node. > # Node B is starting. Node B opens socket to node A > # Node B writes {{IGNITE_HEADER}} to the socket. > # Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send > {{TcpDiscoveryHandshakeRequest}} > # Node A receives the {{{}IGNITE_HEADER{}}}, fails on SSL handshake, closes > the connection with SSL error, and doesn't receive > {{TcpDiscoveryHandshakeRequest}} > # Node B doesn't check any ack for {{IGNITE_HEADER and get error "socket > closed" for writing TcpDiscoveryHandshakeRequest}} > # Node B decides that node A doesn't exist and creates own topology > Proposal fix: In case of SSL enabled and socket failure, Node B should check > the input stream after sending {{IGNITE_HEADER }}and > TcpDiscoveryHandshakeRequest. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)