[
https://issues.apache.org/jira/browse/KNOX-3172?focusedWorklogId=976229&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-976229
]
ASF GitHub Bot logged work on KNOX-3172:
----------------------------------------
Author: ASF GitHub Bot
Created on: 25/Jul/25 08:41
Start Date: 25/Jul/25 08:41
Worklog Time Spent: 10m
Work Description: hanicz opened a new pull request, #1065:
URL: https://github.com/apache/knox/pull/1065
…uncycastle exception, set max connections for
PoolingHttpClientConnectionManager
## What changes were proposed in this pull request?
The BC FIPS provider causes a SocketException with 'Broken Pipe' message on
FIPS clusters. When there is a connection: close header in the response Knox
tries to close the connection however there is an exception coming from BC. It
tries to write to the already closed connection and we get the Broken Pipe
issue and it results in HTTP 500 responses from Knox.
The solution catches and ignores this exception on the socket level. The
intercepting socket would only load if FIPS arg is provided for Knox. This arg
is defaults to com.safelogic.cryptocomply.fips.approved_only=true and can be
changed in the gateway-site.xml.
## How was this patch tested?
Unit tests
Tested on FIPS cluster with fips arg and BC provider loaded by JDK.
Issue Time Tracking
-------------------
Worklog Id: (was: 976229)
Remaining Estimate: 0h
Time Spent: 10m
> BouncyCastle FIPS provider Broken Pipe exception
> ------------------------------------------------
>
> Key: KNOX-3172
> URL: https://issues.apache.org/jira/browse/KNOX-3172
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Tamás Hanicz
> Assignee: Tamás Hanicz
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The BC FIPS provider causes a SocketException with 'Broken Pipe' message on
> FIPS clusters. When there is a *connection: close* header in the response
> Knox tries to close the connection however there is an exception coming from
> BC. It tries to write to the already closed connection and we get the Broken
> Pipe issue and it results in HTTP 500 responses from Knox.
> The solution catches and ignores this exception on the socket level. The
> intercepting socket would only load if FIPS arg is provided for Knox. This
> arg is defaults to com.safelogic.cryptocomply.fips.approved_only=true and can
> be changed in the gateway-site.xml.
> {code:java}
> java.net.SocketException: Broken pipe (Write failed)at
> java.net.SocketOutputStream.socketWrite0(Native Method)at
> java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)at
> java.net.SocketOutputStream.write(SocketOutputStream.java:155)at
> org.bouncycastle.tls.RecordStream.writeRecord(RecordStream.java:307)at
> org.bouncycastle.tls.TlsProtocol.safeWriteRecord(TlsProtocol.java:927)at
> org.bouncycastle.tls.TlsProtocol.raiseAlertWarning(TlsProtocol.java:1602)at
> org.bouncycastle.tls.TlsProtocol.handleClose(TlsProtocol.java:299)at
> org.bouncycastle.tls.TlsProtocol.close(TlsProtocol.java:1780)at
> org.bouncycastle.jsse.provider.ProvSSLSocketWrap.close(ProvSSLSocketWrap.java:154){code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
