Sure, here’s the Java Version. Other things that use the restricted ssl context like the S3 Processors and ListenHTTP work just fine on 1.14.0 in TLS 1.3 mode so it’s probably something somewhat specific to the Distributed Cache Server.
openjdk version "11.0.12" 2021-07-20 LTS OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing) Thanks Shawn From: David Handermann <[email protected]> Sent: Thursday, September 23, 2021 8:04 AM To: [email protected] Subject: Re: DistributedMapCacheClientService and Server - javax.net.ssl.SSLException: Tag mismatch! Shawn, Thanks for reporting this issue with TLS 1.3. Are you running on Java 8, or Java 11? Can you provide the specific version of Java? NIFI-7468 included several improvements to the NiFi SSLSocketChannel class (https://issues.apache.org/jira/browse/NIFI-7468), but there appears to be some additional problems specific to TLS 1.3. Work is in progress on NIFI-8919 (https://github.com/apache/nifi/pull/5311) to refactor the Distributed Cache Clients using Netty, which provides a more robust TLS implementation. The best way to address this issue will be to refactor the Distributed Cache Server as well, but there may be some improvements that could be made to SSLSocketChannel as well. If you could provide these details along with the Java version in a NiFi Jira issue, that would be very helpful. Regards, David Handermann On Thu, Sep 23, 2021 at 7:33 AM Shawn Weeks <[email protected]<mailto:[email protected]>> wrote: I’m getting an error when I try and use the DistributedMapCacheClientService with a restricted ssl context in TLS 1.3 mode or just TLS(which I think defaults to 1.3). I was wondering if anyone else had seen it. This is on 1.14.0. The certificate being used by NiFi has multiple host entries in the SAN(subject alternative name) field in case it’s a bug related to that. If I switch the SSL Context to TLS 1.2 everything works fine. See here for an example flow https://gist.github.com/shawnweeks/36e32f1074cd4583543b91f552bc3413 Thanks Shawn 2021-09-23 12:05:33,289 ERROR [Timer-Driven Process Thread-7] o.a.n.p.standard.PutDistributedMapCache PutDistributedMapCache[id=cbe274f4-a948-1c59-0000-00003b1dcc5a] Unable to communicate with cache when processing StandardFlowFileRecord[uuid=e37a067f-d7de-43cd-98ae-6a60fa431b9a,claim=StandardContentClaim [resourceClaim=StandardResourceClaim[id=1632395462870-733, container=default, section=733], offset=815883, length=11],offset=0,name=e37a067f-d7de-43cd-98ae-6a60fa431b9a,size=11] due to javax.net.ssl.SSLException: Tag mismatch!: javax.crypto.AEADBadTagException: Tag mismatch! javax.net.ssl.SSLException: Tag mismatch! at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:123) at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) at org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.unwrap(SSLSocketChannel.java:668) at org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:377) at org.apache.nifi.remote.io.socket.ssl.SSLSocketChannelInputStream.read(SSLSocketChannelInputStream.java:46) at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271) at java.base/java.io.FilterInputStream.read(FilterInputStream.java:83) at org.apache.nifi.distributed.cache.protocol.ProtocolHandshake.initiateVersionNegotiation(ProtocolHandshake.java:83) at org.apache.nifi.distributed.cache.protocol.ProtocolHandshake.initiateHandshake(ProtocolHandshake.java:57) at org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.leaseCommsSession(DistributedMapCacheClientService.java:426) at org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.withCommsSession(DistributedMapCacheClientService.java:489) at org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.put(DistributedMapCacheClientService.java:132) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254) at org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105) at com.sun.proxy.$Proxy569.put(Unknown Source) at org.apache.nifi.processors.standard.PutDistributedMapCache.onTrigger(PutDistributedMapCache.java:202) at org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) at org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202) at org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214) at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103) at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: javax.crypto.AEADBadTagException: Tag mismatch! at java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:623) at java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116) at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053) at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941) at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491) at java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779) at java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497) at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1903) at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240) at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ... 35 common frames omitted
