Zoltán Borók-Nagy created IMPALA-12546:
------------------------------------------
Summary: Report SSL error details better when using Thrift
Key: IMPALA-12546
URL: https://issues.apache.org/jira/browse/IMPALA-12546
Project: IMPALA
Issue Type: Bug
Reporter: Zoltán Borók-Nagy
If there's a wrong SSL configuration, Impala might raise the following error:
{noformat}
I1026 12:14:11.399665 2413210 status.cc:65] SSL socket creation failed:
SSL_CTX_set_cipher_list: unknown command
@ 0xfc54d9 impala::Status::Status(bool, impala::TErrorCode::type,
strings::internal::SubstituteArg const&)
@ 0xc7df8d
impala::ThriftServer::CreateSocket(std::shared_ptr<apache::thrift::transport::TServerSocket>*)
[clone .cold]
...{noformat}
This doesn't say much about the problem. In a DEBUG build we can get more
detail:
{noformat}
F1101 13:39:52.372052 166825 openssl_util.h:225] Check failed: ERR_peek_error()
== 0 (337145995 vs. 0) Expected no pending OpenSSL errors on void
impala::ImpalaTlsSocketFactory::configureCiphers(const string&, const string&,
bool) entry, but had: error:1418708B:SSL routines:ssl_do_config:unknown
command:ssl/ssl_mcnf.c:72:section=system_default, cmd=@SECLEVEL,
arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8{noformat}
In RELEASE build the problem is that the error is only caught by Thrift which
doesn't add too much detail:
[https://github.com/apache/thrift/blob/fb9ffd2ad4fac24fa487efa9c620d015d748df30/lib/cpp/src/thrift/transport/TSSLSocket.cpp#L947]
Thrift calls ERR_get_error() which consumes the errors from the SSL error
queue. Therefore the information is already lost after Thrift threw an
exception.
To fix this, we either:
* Check for SSL errors before invoking TSSLSocketFactory::ciphers() or other
Thrift APIs
* Fix Thrift to add more detail about the error
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
