Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 8.0 Update 1.4.0-dev-1, 8.0 Update 4
Affects Version/s: 8.0.0.GA
Component/s: Clustering
Labels:
- intersmash

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Target Release:

8.0.z.GA
Workaround:

Workaround Exists
Workaround Description:
Hide

There are a least 3 workarounds:

Disable TLS over hotrod.

Override the logic from the original fix by manually disabling hostname validation via an adhoc "ssl_hostname_validation" property

Use the IP address of the RHDG Service instead of its name within the outbound-socket-binding of the remote-cache-container. This will cause EAP to auto-disable hostname validation.
Show
There are a least 3 workarounds: Disable TLS over hotrod. Override the logic from the original fix by manually disabling hostname validation via an adhoc "ssl_hostname_validation" property Use the IP address of the RHDG Service instead of its name within the outbound-socket-binding of the remote-cache-container. This will cause EAP to auto-disable hostname validation.
Git Pull Request:
https://github.com/jbossas/jboss-eap8/pull/337, https://github.com/jbossas/jboss-eap8/pull/398
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

A WildFly instance is configured to connect to a remote infinispan via HotRod, but the logs show that the deployment fails due to a SSLHandshakeException:

[0m[0m21:34:21,925 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 70) WFLYCLINF0002: Started ROOT.war.TransactionalRecurringTimerService.TRANSIENT cache from ejb container
[0m[31m21:34:22,193 ERROR [org.infinispan.HOTROD] (HotRod-client-async-pool-11) ISPN004007: Exception encountered. Retry 10 out of 10: org.infinispan.client.hotrod.exceptions.TransportException:: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 172.122.96.222 found
	at org.infinispan.client.hotrod@14.0.22.Final//org.infinispan.client.hotrod.impl.transport.netty.ActivationHandler.exceptionCaught(ActivationHandler.java:52)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:346)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:325)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:317)
	at org.infinispan.client.hotrod@14.0.22.Final//org.infinispan.client.hotrod.impl.transport.netty.SslHandshakeExceptionHandler.userEventTriggered(SslHandshakeExceptionHandler.java:17)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:400)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:376)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:368)
	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1362)
	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1343)
	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
	at io.netty.netty-codec@4.1.104.Final//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.netty-codec@4.1.104.Final//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	at io.netty.netty-codec@4.1.104.Final//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.netty-transport-native-epoll@4.1.104.Final//io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
	at io.netty.netty-transport-native-epoll@4.1.104.Final//io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:509)
	at io.netty.netty-transport-native-epoll@4.1.104.Final//io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:407)
	at io.netty.netty-common@4.1.104.Final//io.netty.util.concurrent.SingleThreadEventExecutor.run(SingleThreadEventExecutor.java:997)
	at io.netty.netty-common@4.1.104.Final//io.netty.util.internal.ThreadExecutorMap.run(ThreadExecutorMap.java:74)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextReferenceExecutor.execute(ContextReferenceExecutor.java:32)
	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextualExecutor.run(ContextualExecutor.java:61)
	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextReferenceExecutor.execute(ContextReferenceExecutor.java:32)
	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextualExecutor.run(ContextualExecutor.java:61)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 172.122.96.222 found
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
	... 23 more
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 172.122.96.222 found
	at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:412)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:292)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
	... 34 more
...

As said we only see this in WildFly main branch at the moment, while the test is passing with WildFly 30.0.0.Final.

clones

WFLY-19040 Regression due to SSLHandshakeException affecting HotRod client when connecting to remote Infinispan

Closed

is caused by

WFLY-19505 Expose attributes to configure SNI per cluster for HotRod TLS handshake

Open

WFLY-19441 HotRod hostname validation auto-configuration does not work in k8s

Resolved

JBEAP-26224 (8.0.z) Upgrade Infinispan to 14.0.24.Final-redhat-00001

Closed

is cloned by

JBEAP-27272 (XP 5 CR2) Regression due to SSLHandshakeException affecting HotRod client when connecting to remote Infinispan

Closed

is incorporated by

JBEAP-26770 (8.0.z) Upgrade EAP codebase to 8.0.3.GA-redhat-SNAPSHOT in EAP 8.0 Update 2

Closed

(1 is incorporated by)

Assignee:: Paul Ferraro

Reporter:: Tomas Hofman

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2024/02/16 2:59 PM

Updated:: 2024/11/01 11:07 AM

Resolved:: 2024/08/20 9:16 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates