Josh Elser created ACCUMULO-3065:
------------------------------------
Summary: Improve client and server diagnostics when mismatched SSL
configuration
Key: ACCUMULO-3065
URL: https://issues.apache.org/jira/browse/ACCUMULO-3065
Project: Accumulo
Issue Type: Improvement
Components: client, rpc
Affects Versions: 1.6.0
Reporter: Josh Elser
While playing with SSL configured RPC, I often found myself in the situation
where I would deploy a secure Accumulo without setting up {{.accumulo/config}},
or have my client set up to connect with SSL, and the server was running
unencrypted RPC.
The former isn't too bad, but you get this very unintuitive error about
"Server: XXX.XXX.XXX.XXX had twenty failures in the past..." after a few
seconds. It's not straightforward in saying "the server requires SSL, but you
didn't provide SSL credentials".
The bad side is when the client is providing SSL and the server is not
expecting it. Because of the very quick retry on a failed connection by the
client, getting a Connector can act as a denial of service attack against the
tserver, quickly causing it to OOME.
Backing off on the client-side retries would be desirable, in addition to
adding some more "smarts" so that the client can know the difference between a
handshake failure and a general server error.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
