[jira] [Updated] (KUDU-1876) Poor error messages and behavior when webserver TLS is misconfigured

[Jean-Daniel Cryans (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KUDU-1876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Daniel Cryans updated KUDU-1876:
-------------------------------------
    Target Version/s: 1.6.0

> Poor error messages and behavior when webserver TLS is misconfigured
> --------------------------------------------------------------------
>
>                 Key: KUDU-1876
>                 URL: https://issues.apache.org/jira/browse/KUDU-1876
>             Project: Kudu
>          Issue Type: Bug
>          Components: security, supportability
>    Affects Versions: 1.3.0
>            Reporter: Adar Dembo
>
> I was playing around with Cloudera Manager's upcoming webserver TLS support 
> and found a couple cases where misconfigurations led to confusing error 
> messages and other weird behavior. I focused on *webserver_private_key_file*, 
> *webserver_certificate_file*, and *webserver_private_key_password_cmd*.
> *webserver_private_key_file* is unset, but *webserver_certificate_file* and 
> *webserver_private_key_password_cmd* are set: the server crashes (good) but 
> with a fairly inscrutable error message:
> {noformat}
> I0213 18:49:50.606950  2265 webserver.cc:144] Webserver: Enabling HTTPS 
> support
> I0213 18:49:50.607322  2265 webserver.cc:293] Webserver: set_ssl_option: 
> cannot open /etc/adar_kudu_tls/cert.pem: error:0906D06C:PEM 
> routines:PEM_read_bio:no start line
> W0213 18:49:50.607375  2265 net_util.cc:293] Failed to bind to 0.0.0.0:8051. 
> Trying to use lsof to find any processes listening on the same port:
> I0213 18:49:50.607393  2265 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; 
> lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' 
> -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do  while [ $pid -gt 1 ] ; do    ps h 
> -fp $pid ;    stat=($(</proc/$pid/stat)) ;    pid=${stat[3]} ;  done ; done
> W0213 18:49:50.632638  2265 net_util.cc:303] 
> F0213 18:49:50.632704  2265 master_main.cc:71] Check failed: _s.ok() Bad 
> status: Network error: Webserver: Could not start on address 0.0.0.0:8051
> {noformat}
> *webserver_private_key_file*, *webserver_certificate_file*, and 
> *webserver_private_key_password_cmd* are all set, but the password command 
> script yields the wrong password: the server crashes (good) but the error 
> message is inscrutable: 
> {noformat}
> I0213 18:35:34.581714 32633 webserver.cc:293] Webserver: set_ssl_option: 
> cannot open /etc/adar_kudu_tls/cert.pem: error:06065064:digital envelope 
> routines:EVP_DecryptFinal_ex:bad decrypt
> W0213 18:35:34.581794 32633 net_util.cc:293] Failed to bind to 0.0.0.0:8051. 
> Trying to use lsof to find any processes listening on the same port:
> I0213 18:35:34.581811 32633 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; 
> lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' 
> -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do  while [ $pid -gt 1 ] ; do    ps h 
> -fp $pid ;    stat=($(</proc/$pid/stat)) ;    pid=${stat[3]} ;  done ; done
> W0213 18:35:34.605216 32633 net_util.cc:303] 
> F0213 18:35:34.605254 32633 master_main.cc:71] Check failed: _s.ok() Bad 
> status: Network error: Webserver: Could not start on address 0.0.0.0:8051
> {noformat}
> *webserver_private_key_file* and *webserver_private_key_password_cmd* are 
> set, but *webserver_certificate_file* is not: the server starts up (probably 
> bad?) and any attempt to access the webui on the https port yields a "This 
> site can’t provide a secure connection" message in the browser with 
> ERR_SSL_PROTOCOL_ERROR as the error code. I only tested with Chromium.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)