Hi Nadeem,
How many S2S clients are connecting to your NiFi? And how many NiFi
nodes does your remote NiFi have?
I've encountered the same error message when I conducted a test using
hundreds of S2S client connecting to a single NiFi node.
It happened in a situation like followings:
1. A S2S client connects to the NiFi node
2. The NiFi node accepts the connection, spawns new thread to process
further communication [Site-to-Site Worker Thread-N]
3. But the NiFi node is not able to process incoming connections fast
enough, and when the node starts SSL hand-shake process, the client
has already disconnected.
In my case, setting longer timeout at S2S clients helped accepting
more concurrent connections. But also this can be an indication
suggesting the need of having more nodes (if the message is logged
from the similar situation with mine).
Another possibility is as the message says, a malicious user is
actually sending SSL truncation attack.
Thanks,
Koji
On Fri, Mar 1, 2019 at 1:19 AM Mohammed Nadeem <nadeemm...@gmail.com> wrote:
>
> Hi,
>
> Can someone please help me resolving SSLHandshake issue (Site-to-Site) which
> I'm getting in logs. This ERROR doesn't impact us from accessing the NiFi
> canvas or any calls we make from Nifi components (like SSL Context Service).
> This is something which keeps on throwing every now and then in
> nifi-app.logs
>
> Below, is the error we get in the logs
>
> ERROR [Site-to-Site Worker Thread-138]
> o.a.n.r.io.socket.ssl.SSLSocketChannel
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel@938965a Failed to
> connect due to {}
> javax.net.ssl.SSLHandshakeException: Reached End-of-File marker while
> performing handshake
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:248)
> at
> org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:163)
> at
> org.apache.nifi.remote.SocketRemoteSiteListener$1$1.run(SocketRemoteSiteListener.java:168)
> at java.lang.Thread.run(Thread.java:748)
>
> ERROR [Site-to-Site Worker Thread-138]
> o.a.nifi.remote.SocketRemoteSiteListener RemoteSiteListener Unable to accept
> connection from Socket[unconnected] due to javax.net.ssl.SSLException:
> Inbound closed before receiving peer's close_notify: possible truncation
> attack?
>
> Setup,
> CA Server is running on separate host ( eg, ca_server_host ) which generates
> self-signed certificates
> Each Nifi instance calls CA to get the keystore, trustore etc like the
> necessary certs
>
> Please help me understand the issue, I have gone through many resources
> online but I wasn't able to resolve,
>
> Thanks,
> Nadeem
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
