[jira] [Commented] (ZOOKEEPER-4940) Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out

Mon, 07 Jul 2025 06:12:13 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18003522#comment-18003522
 ] 

Istvan Toth commented on ZOOKEEPER-4940:
----------------------------------------

I've just replied to the same issue on the PR.

jdk.tls.client.enableStatusRequestExtension=true
jdk.tls.server.enableStatusRequestExtension=true

works for the JRE TLS provider, while 

sslContextBuilder.enableOcsp() works for tcnative. (if supported)

The problem is that sslContextBuilder.enableOcsp() when the provider is JRE 
will just throw an exception, hence we need to check for the provider before 
calling it.

OpenSsl.isOcspSupported() only tells us if the native library loaded by 
tcnative supports it, but that's unrelated to whether we're using tcnative or 
the JRE provider.
i.e tcnative could have loaded an OpenSSL native library that supports OCSP, 
but if we set the JRE TLS provider for Netty, it still won't work.


> Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out
> ------------------------------------------------------------
>
>                 Key: ZOOKEEPER-4940
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.10.0, 3.9.3
>            Reporter: Istvan Toth
>            Assignee: Istvan Toth
>            Priority: Major
>
> The problem is that ZK uncoditionally calls 
> *io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
> when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does 
> not support that for the JRE provider.
> For JRE OCSP is set in the javax.net.ssl.TrustManager object.
> I did not dig deep, but I presume that the OpenSSL provider ignores that, 
> hence it needs another property.
> To make this even more intersting, this  setting doesn't actually do anything 
> at all in Zookeeper.
> Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP for 
> boringSSL, it is only supported by tcnative
> for OpenSSL. 
> (I guess in theory the consumer could replace the tcnative implementation, in 
> which case it would work as intended)
> {noformat}
> [zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0] 
> 2025-06-18 04:06:01,013 [myid:] - WARN  
> [zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] - 
> zookeeper.ssl.keyStore.location not specified
> 2025-06-18 04:06:01,074 [myid:] - WARN  
> [zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to 
> initialize a channel. Closing: [id: 0x1fac3cf9]
> java.lang.IllegalArgumentException: OCSP is not supported with this 
> SslProvider: JDK
>       at 
> io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
>       at 
> io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
>       at 
> org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
>       at 
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
>       at 
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
>       at 
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
>       at 
> io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
>       at 
> io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
>       at 
> io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
>       at 
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
>       at 
> io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
>       at 
> io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
>       at 
> io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
>       at 
> io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
>       at 
> io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
>       at 
> io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
>       at 
> io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
>       at 
> io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
>       at 
> io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
>       at 
> io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
>       at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
>       at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
>       at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>       at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>       at java.lang.Thread.run(Thread.java:750)
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to