[
https://issues.apache.org/jira/browse/ZOOKEEPER-3939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17394808#comment-17394808
]
Muni edited comment on ZOOKEEPER-3939 at 8/10/21, 6:51 AM:
-----------------------------------------------------------
Any update on this issue? or any possible work around?
Even after handshake was successful (certs are completely validated and data
exchange should start here), but we keep getting
[nioEventLoopGroup-0-0] DEBUG io.netty.handler.ssl.SslHandler - [id:
0x64fea65f, /127.0.01:41880 => remote_server:2281]
*{color:#00875a}HANDSHAKEN{color}*: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
nioEventLoopGroup-0-0, *{color:#de350b}SEND TLSv1.2 ALERT: warning, description
= close_notify{color}*
nioEventLoopGroup-0-0, called closeOutbound()
nioEventLoopGroup-0-0, closeOutboundInternal()
nioEventLoopGroup-0-0, called closeInbound()
nioEventLoopGroup-0-0, {color:#de350b}*fatal error: 80: Inbound closed before
receiving peer's close_notify: possible truncation attack?*{color}
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
%% Invalidated:
[Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
UPDATE:
After lot of debugging (didn't see a reason why the connection was closing
before to server response). However, it was something to do with netty-handler
dependency version (issue resolved after following some online suggestion for
similar problem to use 4.1.66-Final JAR ) fixed the problem.
was (Author: muni136):
Any update on this issue? or any possible work around?
Even after handshake was successful (certs are completely validated and data
exchange should start here), but we keep getting
[nioEventLoopGroup-0-0] DEBUG io.netty.handler.ssl.SslHandler - [id:
0x64fea65f, /127.0.01:41880 => remote_server:2281]
*{color:#00875a}HANDSHAKEN{color}*: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
nioEventLoopGroup-0-0, *{color:#de350b}SEND TLSv1.2 ALERT: warning, description
= close_notify{color}*
nioEventLoopGroup-0-0, called closeOutbound()
nioEventLoopGroup-0-0, closeOutboundInternal()
nioEventLoopGroup-0-0, called closeInbound()
nioEventLoopGroup-0-0, {color:#de350b}*fatal error: 80: Inbound closed before
receiving peer's close_notify: possible truncation attack?*{color}
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
%% Invalidated: [Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
> There is not property for private key password. no cipher suites in common
> --------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3939
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3939
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.5.7
> Reporter: Maks Savkin
> Priority: Major
>
> Zookeeper uses a key store password as a key private password for setting
> TLS. If we have another password for the private key we receive a strange
> mistake "no cipher suite in common" which is not clear.
> Full logs:
> {code}
> 2020-08-28 14:32:21,339 [myid:] - ERROR
> [nioEventLoopGroup-7-2:NettyServerCnxnFactory$CertificateVerifier@363] -
> Unsuccessful handshake with session 0x0
> 2020-08-28 14:32:21,342 [myid:] - DEBUG
> [nioEventLoopGroup-7-2:NettyServerCnxn@91] - close called for sessionid:0x0
> 2020-08-28 14:32:21,343 [myid:] - DEBUG
> [nioEventLoopGroup-7-2:NettyServerCnxn@103] - cnxns size:0
> nioEventLoopGroup-7-2, called closeOutbound()
> nioEventLoopGroup-7-2, closeOutboundInternal()
> nioEventLoopGroup-7-2, called closeInbound()
> nioEventLoopGroup-7-2, fatal: engine already closed. Rethrowing
> javax.net.ssl.SSLException: Inbound closed before receiving peer's
> close_notify: possible truncation attack?
> 2020-08-28 14:32:21,348 [myid:] - WARN
> [nioEventLoopGroup-7-2:NettyServerCnxnFactory$CnxnChannelHandler@220] -
> Exception caught
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
> at
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1324)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266)
> at
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
> ... 17 more
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
> at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
> at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
> at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1494)
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1508)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1392)
> ... 21 more
> {code}
> It happens because of the code:
> https://github.com/apache/zookeeper/blob/4a2d58219b7435c3b8cdf8f7ab04b158c1900223/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L438
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
