[
https://issues.apache.org/jira/browse/IGNITE-22605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maksim Timonin updated IGNITE-22605:
------------------------------------
Description:
There is a flaky test, it actually fails due to the bug.
{code:java}
TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
Test scenario is as follows:
# Start node A
# Try start node B with mismatching certificates
# Node B doesn't fail but starts new topology.
Logic that leads to the error:
# Node A started - create topology from single node.
# Node B is starting. Node B opens socket to node A
# Node B writes {{IGNITE_HEADER}} to the socket.
# Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send
{{TcpDiscoveryHandshakeRequest}}
# Node A receives the {{{}IGNITE_HEADER{}}}, fails on SSL handshake, closes
the connection with SSL error, and doesn't receive
{{TcpDiscoveryHandshakeRequest}}
# Node B doesn't check any ack for {{IGNITE_HEADER }}and get error "socket
closed" for writing {{TcpDiscoveryHandshakeRequest}}
# Node B decides that node A doesn't exist and creates own topology
Proposal fix: In case of SSL enabled and socket failure, Node B should check
the input stream after sending {{IGNITE_HEADER }}and{{
}}{{{}TcpDiscoveryHandshakeRequest.{}}}{{{}{}}}
was:
There is a flaky test, it actually fails due to the bug.
{code:java}
TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
Case is like as following:
# Start node A
# Try start node B with mismatching certificates (check them in the test)
# Node B doesn't fail but starts new topology.
Logic that leads to the error:
# Node A started
# Node B open socket to node A
# Node B writes sequentially {{IGNITE_HEADER }}to the socket.
# Node A receives the header, fails to handshake and close the connection with
ssl error.
# Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send
{{TcpDiscoveryHandshakeRequest}}
# Socket is closed from node A and then node B decides that node A doesn't
exist
# Node B creates own topology.
To fix this error, in case of SSL enabled the node B should wait for ack from
node A and check it for errors.
> Wrong certificate chain might lead to split brain
> -------------------------------------------------
>
> Key: IGNITE-22605
> URL: https://issues.apache.org/jira/browse/IGNITE-22605
> Project: Ignite
> Issue Type: Bug
> Reporter: Maksim Timonin
> Assignee: Maksim Timonin
> Priority: Major
> Labels: ise
> Fix For: 2.17
>
>
> There is a flaky test, it actually fails due to the bug.
> {code:java}
> TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
> Test scenario is as follows:
> # Start node A
> # Try start node B with mismatching certificates
> # Node B doesn't fail but starts new topology.
> Logic that leads to the error:
> # Node A started - create topology from single node.
> # Node B is starting. Node B opens socket to node A
> # Node B writes {{IGNITE_HEADER}} to the socket.
> # Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send
> {{TcpDiscoveryHandshakeRequest}}
> # Node A receives the {{{}IGNITE_HEADER{}}}, fails on SSL handshake, closes
> the connection with SSL error, and doesn't receive
> {{TcpDiscoveryHandshakeRequest}}
> # Node B doesn't check any ack for {{IGNITE_HEADER }}and get error "socket
> closed" for writing {{TcpDiscoveryHandshakeRequest}}
> # Node B decides that node A doesn't exist and creates own topology
> Proposal fix: In case of SSL enabled and socket failure, Node B should check
> the input stream after sending {{IGNITE_HEADER }}and{{
> }}{{{}TcpDiscoveryHandshakeRequest.{}}}{{{}{}}}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
