Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-19040

Regression due to SSLHandshakeException affecting HotRod client when connecting to remote Infinispan

XMLWordPrintable

      A WildFly instance is configured to connect to a remote infinispan via HotRod, but the logs show that the deployment fails due to a SSLHandshakeException:

      21:34:21,925 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 70) WFLYCLINF0002: Started ROOT.war.TransactionalRecurringTimerService.TRANSIENT cache from ejb container
      21:34:22,193 ERROR [org.infinispan.HOTROD] (HotRod-client-async-pool-11) ISPN004007: Exception encountered. Retry 10 out of 10: org.infinispan.client.hotrod.exceptions.TransportException:: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 172.122.96.222 found
      	at org.infinispan.client.hotrod@14.0.22.Final//org.infinispan.client.hotrod.impl.transport.netty.ActivationHandler.exceptionCaught(ActivationHandler.java:52)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:346)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:325)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:317)
      	at org.infinispan.client.hotrod@14.0.22.Final//org.infinispan.client.hotrod.impl.transport.netty.SslHandshakeExceptionHandler.userEventTriggered(SslHandshakeExceptionHandler.java:17)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:400)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:376)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:368)
      	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1362)
      	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1343)
      	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
      	at io.netty.netty-codec@4.1.104.Final//io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
      	at io.netty.netty-codec@4.1.104.Final//io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
      	at io.netty.netty-codec@4.1.104.Final//io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
      	at io.netty.netty-transport@4.1.104.Final//io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
      	at io.netty.netty-transport-native-epoll@4.1.104.Final//io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
      	at io.netty.netty-transport-native-epoll@4.1.104.Final//io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:509)
      	at io.netty.netty-transport-native-epoll@4.1.104.Final//io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:407)
      	at io.netty.netty-common@4.1.104.Final//io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
      	at io.netty.netty-common@4.1.104.Final//io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
      	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
      	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
      	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextReferenceExecutor.execute(ContextReferenceExecutor.java:32)
      	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextualExecutor$1.run(ContextualExecutor.java:61)
      	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextReferenceExecutor.execute(ContextReferenceExecutor.java:32)
      	at org.wildfly.clustering.context@32.0.0.Beta1-202402040142-c0bb3c99//org.wildfly.clustering.context.ContextualExecutor$1.run(ContextualExecutor.java:61)
      	at java.base/java.lang.Thread.run(Thread.java:833)
      Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 172.122.96.222 found
      	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
      	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
      	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
      	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
      	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
      	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
      	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
      	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
      	at io.netty.netty-handler@4.1.104.Final//io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
      	... 23 more
      Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 172.122.96.222 found
      	at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
      	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
      	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
      	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:412)
      	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:292)
      	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
      	... 34 more
      ...
      

      As said we only see this in WildFly main branch at the moment, while the test is passing with WildFly 30.0.0.Final.

              pferraro@redhat.com Paul Ferraro
              fburzigo Fabio Burzigotti
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: