[
https://issues.apache.org/jira/browse/KNOX-3172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamás Hanicz updated KNOX-3172:
-------------------------------
Description:
The BC FIPS provider causes a SocketException with 'Broken Pipe' message on
FIPS clusters. When there is a *connection: close* header in the response Knox
tries to close the connection however there is an exception coming from BC. It
tries to write to the already closed connection and we get the Broken Pipe
issue and it results in HTTP 500 responses from Knox.
The solution catches and ignores this exception on the socket level. The
intercepting socket would only load if FIPS arg is provided for Knox. This arg
is defaults to com.safelogic.cryptocomply.fips.approved_only=true and can be
changed in the gateway-site.xml.
{code:java}
java.net.SocketException: Broken pipe (Write failed)at
java.net.SocketOutputStream.socketWrite0(Native Method)at
java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)at
java.net.SocketOutputStream.write(SocketOutputStream.java:155)at
org.bouncycastle.tls.RecordStream.writeRecord(RecordStream.java:307)at
org.bouncycastle.tls.TlsProtocol.safeWriteRecord(TlsProtocol.java:927)at
org.bouncycastle.tls.TlsProtocol.raiseAlertWarning(TlsProtocol.java:1602)at
org.bouncycastle.tls.TlsProtocol.handleClose(TlsProtocol.java:299)at
org.bouncycastle.tls.TlsProtocol.close(TlsProtocol.java:1780)at
org.bouncycastle.jsse.provider.ProvSSLSocketWrap.close(ProvSSLSocketWrap.java:154){code}
was:
The BC FIPS provider causes a SocketException with 'Broken Pipe' message on
FIPS clusters. It tries to write to a closed connection and it results in HTTP
500 responses from Knox.
The solution catches and ignores this exception on the socket level. The
intercepting socket would only load if FIPS arg is provided for Knox. This arg
is defaults to com.safelogic.cryptocomply.fips.approved_only=true and can be
changed in the gateway-site.xml.
{code:java}
java.net.SocketException: Broken pipe (Write failed)at
java.net.SocketOutputStream.socketWrite0(Native Method)at
java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)at
java.net.SocketOutputStream.write(SocketOutputStream.java:155)at
org.bouncycastle.tls.RecordStream.writeRecord(RecordStream.java:307)at
org.bouncycastle.tls.TlsProtocol.safeWriteRecord(TlsProtocol.java:927)at
org.bouncycastle.tls.TlsProtocol.raiseAlertWarning(TlsProtocol.java:1602)at
org.bouncycastle.tls.TlsProtocol.handleClose(TlsProtocol.java:299)at
org.bouncycastle.tls.TlsProtocol.close(TlsProtocol.java:1780)at
org.bouncycastle.jsse.provider.ProvSSLSocketWrap.close(ProvSSLSocketWrap.java:154){code}
> BouncyCastle FIPS provider Broken Pipe exception
> ------------------------------------------------
>
> Key: KNOX-3172
> URL: https://issues.apache.org/jira/browse/KNOX-3172
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Tamás Hanicz
> Assignee: Tamás Hanicz
> Priority: Major
>
> The BC FIPS provider causes a SocketException with 'Broken Pipe' message on
> FIPS clusters. When there is a *connection: close* header in the response
> Knox tries to close the connection however there is an exception coming from
> BC. It tries to write to the already closed connection and we get the Broken
> Pipe issue and it results in HTTP 500 responses from Knox.
> The solution catches and ignores this exception on the socket level. The
> intercepting socket would only load if FIPS arg is provided for Knox. This
> arg is defaults to com.safelogic.cryptocomply.fips.approved_only=true and can
> be changed in the gateway-site.xml.
> {code:java}
> java.net.SocketException: Broken pipe (Write failed)at
> java.net.SocketOutputStream.socketWrite0(Native Method)at
> java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)at
> java.net.SocketOutputStream.write(SocketOutputStream.java:155)at
> org.bouncycastle.tls.RecordStream.writeRecord(RecordStream.java:307)at
> org.bouncycastle.tls.TlsProtocol.safeWriteRecord(TlsProtocol.java:927)at
> org.bouncycastle.tls.TlsProtocol.raiseAlertWarning(TlsProtocol.java:1602)at
> org.bouncycastle.tls.TlsProtocol.handleClose(TlsProtocol.java:299)at
> org.bouncycastle.tls.TlsProtocol.close(TlsProtocol.java:1780)at
> org.bouncycastle.jsse.provider.ProvSSLSocketWrap.close(ProvSSLSocketWrap.java:154){code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
