[jira] [Commented] (CASSANDRA-19508) Getting tons of msgs "Failed to get peer certificates for peer /x.x.x.x:45796" when require_client_auth is set to false

Wed, 03 Apr 2024 17:07:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17833782#comment-17833782
 ] 

Brandon Williams commented on CASSANDRA-19508:
----------------------------------------------

Looks good to me.  We probably don't need CI for this but I already got caught 
once, so:

||Branch||CI||
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-19508-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1563/workflows/3200ba88-f38d-41ad-99c2-65e6240fb9ee],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1563/workflows/99832cc7-a831-4074-aae5-2bd70783a408]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-19508-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1562/workflows/8029ecf4-e1a6-421f-8387-6c82b2ca58e0],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1562/workflows/ee01ef79-8541-4600-9764-1d43d8165d91]|
|[5.0|https://github.com/driftx/cassandra/tree/CASSANDRA-19508-5.0]|[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1564/workflows/0ae12b67-291f-4da8-936b-0c4bdd5d5f45],
 
[j17|https://app.circleci.com/pipelines/github/driftx/cassandra/1564/workflows/89ee38ea-6b17-42fa-92e6-51f472407088]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-19508-trunk]|[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1565/workflows/1979282a-89d0-44a5-a37f-7d237046eea0],
 
[j17|https://app.circleci.com/pipelines/github/driftx/cassandra/1565/workflows/d9f97053-1541-4505-8ab3-2a0b50070ba3]|


> Getting tons of msgs "Failed to get peer certificates for peer 
> /x.x.x.x:45796" when require_client_auth is set to false
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-19508
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19508
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/Encryption
>            Reporter: Mohammad Aburadeh
>            Assignee: Mohammad Aburadeh
>            Priority: Urgent
>             Fix For: 4.0.x, 4.1.x, 5.0.x, 5.x
>
>
> We recently upgraded our production clusters from 3.11.15 to 4.1.4. We 
> started seeing thousands of msgs "Failed to get peer certificates for peer 
> /x.x.x.x:45796". SSL is enabled but require_client_auth is disabled.  This is 
> causing a huge problem for us because cassandra log files are growing very 
> fast as our connections are short live connections, we open more than 1K 
> connections per second and they stay live for 1-2 seconds. 
> {code:java}
> DEBUG [Native-Transport-Requests-2] 2024-03-31 21:26:38,026 
> ServerConnection.java:140 - Failed to get peer certificates for peer 
> /172.31.2.23:45796
> javax.net.ssl.SSLPeerUnverifiedException: peer not verified
>         at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine$DefaultOpenSslSession.getPeerCertificateChain(ReferenceCountedOpenSslEngine.java:2414)
>         at 
> io.netty.handler.ssl.ExtendedOpenSslSession.getPeerCertificateChain(ExtendedOpenSslSession.java:140)
>         at 
> org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:136)
>         at 
> org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:120)
>         at 
> org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:76)
>         at 
> org.apache.cassandra.transport.Message$Request.execute(Message.java:255)
>         at 
> org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:166)
>         at 
> org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:185)
>         at 
> org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:212)
>         at 
> org.apache.cassandra.transport.Dispatcher$RequestProcessor.run(Dispatcher.java:109)
>         at 
> org.apache.cassandra.concurrent.FutureTask$1.call(FutureTask.java:96)
>         at org.apache.cassandra.concurrent.FutureTask.call(FutureTask.java:61)
>         at org.apache.cassandra.concurrent.FutureTask.run(FutureTask.java:71)
>         at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:142)
>         at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>  {code}
> *Our SSL config:*
> {code:java}
> client_encryption_options:
>   enabled: true
>   keystore: /path/to/keystore
>   keystore_password: xxxxx
>   optional: false
>   require_client_auth: false {code}
>  
> We should stop throwing this msg when require_client_auth is set to false. Or 
> at least it should be logged in TRACE not DEBUG. 
> I'm working on preparing a PR. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to