[
https://issues.apache.org/jira/browse/KUDU-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16168388#comment-16168388
]
Alexey Serbin edited comment on KUDU-2145 at 9/15/17 7:21 PM:
--------------------------------------------------------------
As I see from the bouncycastle changelog, they fixed the issue in 2015:
{noformat}
commit fddfc766c9398792bbb43b63de845ed65040d44e
Author: David Hook <[email protected]>
Date: Thu Apr 23 14:48:11 2015 +1000
fixed handling of ExtendedKeyUsage in EE certificates.
{noformat}
According to the their git repository history, the fix is included bouncycastle
1.53 version:
{noformat}
$ git tag -l --contains fddfc766c9398792bbb43b63de845ed65040d44e
r1rv53
r1rv54
r1rv55
r1rv56
r1rv57
r1rv58
{noformat}
According to the [release notes|https://www.bouncycastle.org/releasenotes.html]
at their website, version 1.53 was released in October 2015:
{noformat}
Release: 1.53
Date: 2015, October 10
{noformat}
I don't think we need to fix anything in Kudu IPKI regarding that bug in
bouncycastle. Instead, I would recommend upgrading bouncycastle package to
1.53 or newer versions or, alternatively, switching to other security providers
(e.g., to the standard JCE provider), as described
[here|https://docs.oracle.com/cd/E19830-01/819-4712/ablsc/index.html]
was (Author: aserbin):
As I see from the bouncycastle changelog, they fixed the issue in 2015:
{noformat}
commit fddfc766c9398792bbb43b63de845ed65040d44e
Author: David Hook <[email protected]>
Date: Thu Apr 23 14:48:11 2015 +1000
fixed handling of ExtendedKeyUsage in EE certificates.
{noformat}
According to the their git repository history, the fix is included bouncycastle
1.53 version:
{noformat}
$ git tag -l --contains fddfc766c9398792bbb43b63de845ed65040d44e
r1rv53
r1rv54
r1rv55
r1rv56
r1rv57
r1rv58
{noformat}
According to the [release notes|https://www.bouncycastle.org/releasenotes.html]
at their website, version 1.53 was released in October 2015:
{noformat}
Release: 1.53
Date: 2015, October 10
{noformat}
I don't think we need to fix anything at Kudu IPKI regarding that bug in
bouncycastle. Instead, I would recommend upgrading bouncycastle package to
1.53 or newer versions or, alternatively, switching to other security providers
(e.g., to the standard JCE provider), as described
[here|https://docs.oracle.com/cd/E19830-01/819-4712/ablsc/index.html]
> Bouncycastle incompatibility with Kudu master CA
> ------------------------------------------------
>
> Key: KUDU-2145
> URL: https://issues.apache.org/jira/browse/KUDU-2145
> Project: Kudu
> Issue Type: Bug
> Components: master, security
> Affects Versions: 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.4.1
> Reporter: Mike Percy
>
> It appears that bouncycastle, at least in some cases, may be incompatible
> with the current Kudu master CA implementation. I saw the following exception
> on a Kudu 1.4 cluster in the Impala catalogd log (catalogd uses the Kudu Java
> client for DDL operations):
> {code}
> E0912 11:22:19.658434 6023 TabletClient.java:723] [Peer ] Unexpected
> exception from downstream on [id: 0x0c7360a9, /10.0.0.1:42103 =>
> host.example.com/10.0.0.2:7051]
> Java exception follows:
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.CodecEmbedderException:
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.AbstractCodecEmbedder$EmbeddedChannelPipeline.notifyHandlerException(AbstractCodecEmbedder.java:242)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:566)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder.offer(DecoderEmbedder.java:70)
> at
> org.apache.kudu.client.Negotiator.handleTlsMessage(Negotiator.java:449)
> at org.apache.kudu.client.Negotiator.handleResponse(Negotiator.java:250)
> at
> org.apache.kudu.client.Negotiator.messageReceived(Negotiator.java:229)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.timeout.ReadTimeoutHandler.messageReceived(ReadTimeoutHandler.java:184)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.oneone.OneToOneDecoder.handleUpstream(OneToOneDecoder.java:70)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
> at
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
> ... 37 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
> at
> org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
> ... 42 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: org.bouncycastle.jce.exception.ExtCertPathValidatorException:
> Certificate has unsupported critical extension: [2.5.29.37]
> at
> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
> at
> org.apache.kudu.client.SecurityContext$DelegatedTrustManager.checkServerTrusted(SecurityContext.java:275)
> at
> sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:827)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
> ... 50 more
> Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException:
> Certificate has unsupported critical extension: [2.5.29.37]
> at
> org.bouncycastle.jce.provider.RFC3280CertPathUtilities.wrapupCertF(Unknown
> Source)
> at
> org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown
> Source)
> at
> java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
> at
> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
> ... 58 more
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
