[jira] [Commented] (ZOOKEEPER-4940) Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out

Sat, 21 Jun 2025 16:00:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17985130#comment-17985130
 ] 

Andor Molnar commented on ZOOKEEPER-4940:
-----------------------------------------

Could you please share both the client and server configuration (config files 
and command line parameters) which is broken?

What if we just put this setting behind an SslProvider check and don't set it 
if SslProvider == JDK?

> Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out
> ------------------------------------------------------------
>
>                 Key: ZOOKEEPER-4940
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.10.0, 3.9.3
>            Reporter: Istvan Toth
>            Assignee: Istvan Toth
>            Priority: Major
>
> The problem is that ZK uncoditionally calls 
> *io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
> when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does 
> not support that for the JRE provider.
> For JRE OCSP is set in the javax.net.ssl.TrustManager object.
> I did not dig deep, but I presume that the OpenSSL provider ignores that, 
> hence it needs another property.
> To make this even more intersting, this  setting doesn't actually do anything 
> at all in Zookeeper.
> Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP for 
> boringSSL, it is only supported by tcnative
> for OpenSSL. 
> (I guess in theory the consumer could replace the tcnative implementation, in 
> which case it would work as intended)
> {noformat}
> [zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0] 
> 2025-06-18 04:06:01,013 [myid:] - WARN  
> [zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] - 
> zookeeper.ssl.keyStore.location not specified
> 2025-06-18 04:06:01,074 [myid:] - WARN  
> [zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to 
> initialize a channel. Closing: [id: 0x1fac3cf9]
> java.lang.IllegalArgumentException: OCSP is not supported with this 
> SslProvider: JDK
>       at 
> io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
>       at 
> io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
>       at 
> org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
>       at 
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
>       at 
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
>       at 
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
>       at 
> io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
>       at 
> io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
>       at 
> io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
>       at 
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
>       at 
> io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
>       at 
> io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
>       at 
> io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
>       at 
> io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
>       at 
> io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
>       at 
> io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
>       at 
> io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
>       at 
> io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
>       at 
> io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
>       at 
> io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
>       at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
>       at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
>       at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>       at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>       at java.lang.Thread.run(Thread.java:750)
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to