Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-4763

No SSL client connection established after update to 8.2.1, rejected with 'ssl is null'

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • RHDG 8.3 GA
    • RHDG 8.1 CR1, RHDG 8.2.1 GA
    • Server
    • False
    • False
    • Hide
      See https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index#rhdg-platform-dependency-issues_issues for a description of the issue and configuration workaround
      Show
      See https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index#rhdg-platform-dependency-issues_issues for a description of the issue and configuration workaround
    • Hide

      Use `-Dorg.infinispan.openssl=false`,

      this forces use of JDK SSL instead of the native OpenSSL
       
       
       
       

      Show
      Use `-Dorg.infinispan.openssl=false`, this forces use of JDK SSL instead of the native OpenSSL        
    • Hide

      Configuration

       

      <security>
        <security-realms>
          <security-realm name="default">
            <server-identities>
              <ssl>
                 <keystore path="keystore.jks" keystore-password="XX" .../>
              </ssl>
            </server-identities>

      ...

      <endpoints socket-binding="default" security-realm="default">
        <hotrod-connector name="hotrod">
          <authentication>
            <sasl mechanisms="PLAIN" server-name="infinispan" .../>
          </authentication>
        </hotrod-connector>

      Show
      Configuration   <security>   <security-realms>     <security-realm name="default">       <server-identities>         <ssl>            <keystore path="keystore.jks" keystore-password="XX" .../>         </ssl>       </server-identities> ... <endpoints socket-binding="default" security-realm="default">   <hotrod-connector name="hotrod">     <authentication>       <sasl mechanisms="PLAIN" server-name="infinispan" .../>     </authentication>   </hotrod-connector>

    Description

      With 8.2 Update #1 the wildfly openssl library is upgraded from 1.0.12 to 2.1.3 to support TLSv1.3.

      After this the clients are not longer able to connect if the endpoint is configured with SSL encryption.

       

      WARN [io.netty.channel.Defa ultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
      io.netty.handler.codec.DecoderException: java.lang.Illegal StateException: ssl is null

      As a result the user log shows the following:

      Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
      at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
      at org.infinispan.client.hotrod.impl.transport.tcp.TcpTransport.flush(TcpTransport.java:203)
      ... 72 more
      Caused by: java.io.EOFException: SSL peer shut down incorrectly
      at sun.security.ssl.InputRecord.read(InputRecord.java:505)
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
      ... 78 more

       
       
       
       
       
       
       

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. JDG-4709 SSLHandshakeException: Received fatal alert: bad_certificate

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          links to

          Web Link KCS

          Web Link Possible wildfly-security related issue

          Activity

            People

              pminz@redhat.com Priyanka Minz
              rhn-support-wfink Wolf Fink
              Diego Lovison Diego Lovison
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: