Thanks for providing the Java version details. Only a small number of components use the NiFi SSLSocketChannel class, which is why most components should not have any problems with TLS 1.3. Updates to the Distributed Cache Server and Clients should resolve these issues.
Regards, David Handermann On Thu, Sep 23, 2021 at 8:14 AM Shawn Weeks <[email protected]> wrote: > Sure, here’s the Java Version. Other things that use the restricted ssl > context like the S3 Processors and ListenHTTP work just fine on 1.14.0 in > TLS 1.3 mode so it’s probably something somewhat specific to the > Distributed Cache Server. > > > > openjdk version "11.0.12" 2021-07-20 LTS > > OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS) > > OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing) > > > > Thanks > > Shawn > > > > *From:* David Handermann <[email protected]> > *Sent:* Thursday, September 23, 2021 8:04 AM > *To:* [email protected] > *Subject:* Re: DistributedMapCacheClientService and Server - > javax.net.ssl.SSLException: Tag mismatch! > > > > Shawn, > > > > Thanks for reporting this issue with TLS 1.3. Are you running on Java 8, > or Java 11? Can you provide the specific version of Java? > > > > NIFI-7468 included several improvements to the NiFi SSLSocketChannel class > (https://issues.apache.org/jira/browse/NIFI-7468), but there appears to > be some additional problems specific to TLS 1.3. > > > > Work is in progress on NIFI-8919 (https://github.com/apache/nifi/pull/5311) > to refactor the Distributed Cache Clients using Netty, which provides a > more robust TLS implementation. The best way to address this issue will be > to refactor the Distributed Cache Server as well, but there may be some > improvements that could be made to SSLSocketChannel as well. > > > > If you could provide these details along with the Java version in a NiFi > Jira issue, that would be very helpful. > > > > Regards, > > David Handermann > > > > On Thu, Sep 23, 2021 at 7:33 AM Shawn Weeks <[email protected]> > wrote: > > I’m getting an error when I try and use the > DistributedMapCacheClientService with a restricted ssl context in TLS 1.3 > mode or just TLS(which I think defaults to 1.3). I was wondering if anyone > else had seen it. This is on 1.14.0. The certificate being used by NiFi > has multiple host entries in the SAN(subject alternative name) field in > case it’s a bug related to that. If I switch the SSL Context to TLS 1.2 > everything works fine. > > > > See here for an example flow > https://gist.github.com/shawnweeks/36e32f1074cd4583543b91f552bc3413 > > > > Thanks > > Shawn > > > > 2021-09-23 12:05:33,289 ERROR [Timer-Driven Process Thread-7] > o.a.n.p.standard.PutDistributedMapCache > PutDistributedMapCache[id=cbe274f4-a948-1c59-0000-00003b1dcc5a] Unable to > communicate with cache when processing > StandardFlowFileRecord[uuid=e37a067f-d7de-43cd-98ae-6a60fa431b9a,claim=StandardContentClaim > [resourceClaim=StandardResourceClaim[id=1632395462870-733, > container=default, section=733], offset=815883, > length=11],offset=0,name=e37a067f-d7de-43cd-98ae-6a60fa431b9a,size=11] due > to javax.net.ssl.SSLException: Tag mismatch!: > javax.crypto.AEADBadTagException: Tag mismatch! > > > > javax.net.ssl.SSLException: Tag mismatch! > > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) > > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349) > > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) > > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287) > > at > java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:123) > > at > java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) > > at > java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) > > at > java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) > > at > java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) > > at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) > > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.unwrap(SSLSocketChannel.java:668) > > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:377) > > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannelInputStream.read(SSLSocketChannelInputStream.java:46) > > at > java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) > > at > java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271) > > at java.base/java.io.FilterInputStream.read(FilterInputStream.java:83) > > at > org.apache.nifi.distributed.cache.protocol.ProtocolHandshake.initiateVersionNegotiation(ProtocolHandshake.java:83) > > at > org.apache.nifi.distributed.cache.protocol.ProtocolHandshake.initiateHandshake(ProtocolHandshake.java:57) > > at > org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.leaseCommsSession(DistributedMapCacheClientService.java:426) > > at > org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.withCommsSession(DistributedMapCacheClientService.java:489) > > at > org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.put(DistributedMapCacheClientService.java:132) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > > at > org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254) > > at > org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105) > > at com.sun.proxy.$Proxy569.put(Unknown Source) > > at > org.apache.nifi.processors.standard.PutDistributedMapCache.onTrigger(PutDistributedMapCache.java:202) > > at > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) > > at > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202) > > at > org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214) > > at > org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103) > > at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) > > at > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > > at > java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) > > at > java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) > > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > at java.base/java.lang.Thread.run(Thread.java:829) > > Caused by: javax.crypto.AEADBadTagException: Tag mismatch! > > at > java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:623) > > at > java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116) > > at > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053) > > at > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941) > > at > java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491) > > at java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779) > > at java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730) > > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497) > > at > java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1903) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) > > at > java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) > > ... 35 common frames omitted > > > > > >
