[ https://issues.apache.org/jira/browse/IGNITE-16496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Kukushkin updated IGNITE-16496: -------------------------------------- Remaining Estimate: 168h Original Estimate: 168h > SSLException: closing inbound before receiving peer's close_notify > ------------------------------------------------------------------ > > Key: IGNITE-16496 > URL: https://issues.apache.org/jira/browse/IGNITE-16496 > Project: Ignite > Issue Type: Bug > Affects Versions: 2.12 > Reporter: Alexey Kukushkin > Priority: Major > Labels: cggg > Original Estimate: 168h > Remaining Estimate: 168h > > Ignite nodes output the warning below on startup when TLS protocol v1.2 is > used: > {noformat} > 2022-02-08 11:53:05.705 WARN 19384 --- [1:62095]-#4-#51] > o.a.i.spi.discovery.tcp.TcpDiscoverySpi : Failed to shutdown socket: closing > inbound before receiving peer's close_notify > javax.net.ssl.SSLException: closing inbound before receiving peer's > close_notify > at > java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:745) > ~[na:na] > at > java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:724) > ~[na:na] > at > org.apache.ignite.internal.util.IgniteUtils.close(IgniteUtils.java:4249) > ~[ignite-core-2.12.0.jar!/:2.12.0] > at > org.apache.ignite.spi.discovery.tcp.ServerImpl$SocketReader.body(ServerImpl.java:7370) > ~[ignite-core-2.12.0.jar!/:2.12.0] > at org.apache.ignite.spi.IgniteSpiThread.run(IgniteSpiThread.java:58) > ~[ignite-core-2.12.0.jar!/:2.12.0] {noformat} > To reproduce the problem just start two server nodes with TLS v1.3 enabled > and the warnings will be printed in the log before the cluster is formed. > h3. Analysis > The problem _probably_ happens due to [this > code|https://github.com/apache/ignite/blob/2.12.0/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L4426] > calling {{Socket#shutdownInput()}} before receiving SSL {{close_notify}} > alert, which TLS 1.2 is expecting (see [RFC > 8446|https://datatracker.ietf.org/doc/html/rfc8446#section-6]). I guess the > right approach to close an SSL socket is just calling {{Socke#close}}, which > should properly wait/send a {{close_notify}} > Some references to consider: > [JDK-8215102 Closing connection to Mysql database results in > exception|https://bugs.openjdk.java.net/browse/JDK-8215102] > [Fix for #93590 - ignore javax.net.ssl.SSLException: closing inbound before > receiving peer's close_notify on > java11+|https://github.com/mysql/mysql-connector-j/pull/32] > [JDK-8251553 Socket closure issues in migrating from JDK 8 to JDK > 11|https://bugs.openjdk.java.net/browse/JDK-8251553] -- This message was sent by Atlassian Jira (v8.20.7#820007)