[jira] [Updated] (IGNITE-16496) SSLException: closing inbound before receiving peer's close_notify

Thu, 12 May 2022 00:21:05 -0700 


     [ 
https://issues.apache.org/jira/browse/IGNITE-16496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexey Kukushkin updated IGNITE-16496:
--------------------------------------
    Remaining Estimate: 168h
     Original Estimate: 168h

> SSLException: closing inbound before receiving peer's close_notify
> ------------------------------------------------------------------
>
>                 Key: IGNITE-16496
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16496
>             Project: Ignite
>          Issue Type: Bug
>    Affects Versions: 2.12
>            Reporter: Alexey Kukushkin
>            Priority: Major
>              Labels: cggg
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Ignite nodes output the warning below on startup when TLS protocol v1.2 is 
> used:
> {noformat}
> 2022-02-08 11:53:05.705  WARN 19384 --- [1:62095]-#4-#51] 
> o.a.i.spi.discovery.tcp.TcpDiscoverySpi  : Failed to shutdown socket: closing 
> inbound before receiving peer's close_notify
> javax.net.ssl.SSLException: closing inbound before receiving peer's 
> close_notify
>    at 
> java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:745)
>  ~[na:na]
>    at 
> java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:724)
>  ~[na:na]
>    at 
> org.apache.ignite.internal.util.IgniteUtils.close(IgniteUtils.java:4249) 
> ~[ignite-core-2.12.0.jar!/:2.12.0]
>    at 
> org.apache.ignite.spi.discovery.tcp.ServerImpl$SocketReader.body(ServerImpl.java:7370)
>  ~[ignite-core-2.12.0.jar!/:2.12.0]
>    at org.apache.ignite.spi.IgniteSpiThread.run(IgniteSpiThread.java:58) 
> ~[ignite-core-2.12.0.jar!/:2.12.0] {noformat}
> To reproduce the problem just start two server nodes with TLS v1.3 enabled 
> and the warnings will be printed in the log before the cluster is formed.
> h3. Analysis
> The problem _probably_ happens due to  [this 
> code|https://github.com/apache/ignite/blob/2.12.0/modules/core/src/main/java/org/apache/ignite/internal/util/IgniteUtils.java#L4426]
>  calling {{Socket#shutdownInput()}} before receiving SSL {{close_notify}} 
> alert, which TLS 1.2 is expecting (see [RFC 
> 8446|https://datatracker.ietf.org/doc/html/rfc8446#section-6]). I guess the 
> right approach to close an SSL socket is just calling {{Socke#close}}, which 
> should properly wait/send a {{close_notify}}
> Some references to consider:
> [JDK-8215102 Closing connection to Mysql database results in 
> exception|https://bugs.openjdk.java.net/browse/JDK-8215102]
> [Fix for #93590 - ignore javax.net.ssl.SSLException: closing inbound before 
> receiving peer's close_notify on 
> java11+|https://github.com/mysql/mysql-connector-j/pull/32]
> [JDK-8251553 Socket closure issues in migrating from JDK 8 to JDK 
> 11|https://bugs.openjdk.java.net/browse/JDK-8251553]



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to