Istvan Toth created ZOOKEEPER-4940:
--------------------------------------
Summary: Enabling OCSP with JRE TLS provider errors out
Key: ZOOKEEPER-4940
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940
Project: ZooKeeper
Issue Type: Bug
Components: security
Reporter: Istvan Toth
Assignee: Istvan Toth
The problem is that ZK uncoditionally calls
*io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does not
support that for the JRE provider.
(For JRE OCSP is set in the javax.net.ssl.TrustManager object.)
I did not dig deep, but I presume that the OpenSSL provider ignores that, hence
it needs another property.
{noformat}
[zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0] 2025-06-18
04:06:01,013 [myid:] - WARN
[zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] -
zookeeper.ssl.keyStore.location not specified
2025-06-18 04:06:01,074 [myid:] - WARN
[zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to
initialize a channel. Closing: [id: 0x1fac3cf9]
java.lang.IllegalArgumentException: OCSP is not supported with this
SslProvider: JDK
at
io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
at
io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
at
org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
at
io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at
io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at
io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
at
io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
at
io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
at
io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
at
io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
at
io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
at
io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
at
io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
at
io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
at
io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
at
io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
at
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
