[jira] [Commented] (HBASE-27673) Fix mTLS client authentication

Balazs Meszaros (Jira) Mon, 27 Feb 2023 05:14:11 -0800


    [ 
https://issues.apache.org/jira/browse/HBASE-27673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694015#comment-17694015
 ]


Balazs Meszaros commented on HBASE-27673:
-----------------------------------------

We are getting the remote address from {{SSLEngine}} at 
{{HBaseTrustManager:97}}, so we have to create {{SSLEngine}} properly.

> Fix mTLS client authentication
> ------------------------------
>
>                 Key: HBASE-27673
>                 URL: https://issues.apache.org/jira/browse/HBASE-27673
>             Project: HBase
>          Issue Type: Bug
>          Components: rpc
>    Affects Versions: 3.0.0-alpha-3
>            Reporter: Balazs Meszaros
>            Assignee: Balazs Meszaros
>            Priority: Major
>
> The exception what I get:
> {noformat}
> 23/02/22 15:18:06 ERROR tls.HBaseTrustManager: Failed to verify host address: 
> 127.0.0.1
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for <127.0.0.1> doesn't 
> match any of the subject alternative names: [***]
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseHostnameVerifier.matchIPAddress(HBaseHostnameVerifier.java:144)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseHostnameVerifier.verify(HBaseHostnameVerifier.java:117)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.performHostVerification(HBaseTrustManager.java:143)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.checkClientTrusted(HBaseTrustManager.java:97)
>       ...
> 23/02/22 15:18:06 ERROR tls.HBaseTrustManager: Failed to verify hostname: 
> localhost
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't 
> match any of the subject alternative names: [***]
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseHostnameVerifier.matchDNSName(HBaseHostnameVerifier.java:159)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseHostnameVerifier.verify(HBaseHostnameVerifier.java:119)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.performHostVerification(HBaseTrustManager.java:171)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.checkClientTrusted(HBaseTrustManager.java:97)
>       ...
> 23/02/22 15:18:06 WARN ipc.NettyRpcServer: Connection /100.100.124.2:47109; 
> caught unexpected downstream exception.
> org.apache.hbase.thirdparty.io.netty.handler.codec.DecoderException: 
> javax.net.ssl.SSLHandshakeException: Failed to verify both host address and 
> host name
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:499)
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:397)
>       at 
> org.apache.hbase.thirdparty.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
>       at 
> org.apache.hbase.thirdparty.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>       at 
> org.apache.hbase.thirdparty.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>       at java.lang.Thread.run(Thread.java:750)
> Caused by: javax.net.ssl.SSLHandshakeException: Failed to verify both host 
> address and host name
>       at sun.security.ssl.Alert.createSSLException(Alert.java:131)
>       at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
>       at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
>       at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
>       at 
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
>       at 
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
>       at 
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
>       at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
>       at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
>       at 
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
>       at 
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at 
> sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
>       ... 15 more
> Caused by: java.security.cert.CertificateException: Failed to verify both 
> host address and host name
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.performHostVerification(HBaseTrustManager.java:175)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.checkClientTrusted(HBaseTrustManager.java:97)
>       at 
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
>       ... 29 more
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for 
> <localhost> doesn't match any of the subject alternative names: [***]
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseHostnameVerifier.matchDNSName(HBaseHostnameVerifier.java:159)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseHostnameVerifier.verify(HBaseHostnameVerifier.java:119)
>       at 
> org.apache.hadoop.hbase.io.crypto.tls.HBaseTrustManager.performHostVerification(HBaseTrustManager.java:171)
>       ... 31 more
> {noformat}
> The connection was made from {{100.100.124.2:47109}}, however it tried to 
> verify the certificate with {{localhost/127.0.0.1}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (HBASE-27673) Fix mTLS client authentication

Reply via email to