[
https://issues.apache.org/jira/browse/IGNITE-22605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikita Amelchev updated IGNITE-22605:
-------------------------------------
Release Note: Added check for SSL errors on TcpDiscovery writing failures
> Wrong certificate chain might lead to split brain
> -------------------------------------------------
>
> Key: IGNITE-22605
> URL: https://issues.apache.org/jira/browse/IGNITE-22605
> Project: Ignite
> Issue Type: Bug
> Reporter: Maksim Timonin
> Assignee: Maksim Timonin
> Priority: Major
> Labels: ise
> Fix For: 2.17
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> There is a flaky test, it actually fails due to the bug.
> {code:java}
> TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
> Test scenario is as follows:
> # Start node A
> # Try start node B with mismatching certificates
> # Node B doesn't fail but starts new topology.
> Logic that leads to the error:
> # Node A started - create topology from single node.
> # Node B is starting. Node B opens socket to node A
> # Node B writes {{IGNITE_HEADER}} to the socket.
> # Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send
> {{TcpDiscoveryHandshakeRequest}}
> # Node A receives the {{{}IGNITE_HEADER{}}}, fails on SSL handshake, closes
> the connection with SSL error, and doesn't receive
> {{TcpDiscoveryHandshakeRequest}}
> # Node B doesn't check any ack for {{IGNITE_HEADER and get error "socket
> closed" for writing TcpDiscoveryHandshakeRequest}}
> # Node B decides that node A doesn't exist and creates own topology
> Proposal fix: In case of SSL enabled and socket failure, Node B should check
> the input stream after sending {{IGNITE_HEADER }}and
> TcpDiscoveryHandshakeRequest.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
