[
https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712394#comment-17712394
]
Andor Molnar commented on ZOOKEEPER-4393:
-----------------------------------------
[~edipesh19] Since you abandoned the ticket and the PR for a while, let me take
this over and introduce a different approach.
I'm going to introduce a new ZooKeeper variable {{fips_mode}} which will be off
by default and if turned on, we'll use the built-in TrustManager without our
extra validations. I believe this is the intention of FIPS mode and the Sun
check cited in the description.
Will create a new PR soon.
> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
> Key: ZOOKEEPER-4393
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.3
> Reporter: Dipesh Kumar Dutta
> Assignee: Andor Molnar
> Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My
> service is also running in fips mode with security provider
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting
> the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN
> io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to
> initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException:
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
> may be used
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
> at
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements
> X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the
> below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
> throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers
> may be used");
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
