[ https://issues.apache.org/jira/browse/KUDU-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Serbin updated KUDU-2145: -------------------------------- Affects Version/s: 1.4.1 1.3.2 1.3.0 1.3.1 1.4.0 > Bouncycastle incompatibility with Kudu master CA > ------------------------------------------------ > > Key: KUDU-2145 > URL: https://issues.apache.org/jira/browse/KUDU-2145 > Project: Kudu > Issue Type: Bug > Components: master, security > Affects Versions: 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.4.1 > Reporter: Mike Percy > > It appears that bouncycastle, at least in some cases, may be incompatible > with the current Kudu master CA implementation. I saw the following exception > on a Kudu 1.4 cluster in the Impala catalogd log (catalogd uses the Kudu Java > client for DDL operations): > {code} > E0912 11:22:19.658434 6023 TabletClient.java:723] [Peer ] Unexpected > exception from downstream on [id: 0x0c7360a9, /10.0.0.1:42103 => > host.example.com/10.0.0.2:7051] > Java exception follows: > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.CodecEmbedderException: > javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.AbstractCodecEmbedder$EmbeddedChannelPipeline.notifyHandlerException(AbstractCodecEmbedder.java:242) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:566) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder.offer(DecoderEmbedder.java:70) > at > org.apache.kudu.client.Negotiator.handleTlsMessage(Negotiator.java:449) > at org.apache.kudu.client.Negotiator.handleResponse(Negotiator.java:250) > at > org.apache.kudu.client.Negotiator.messageReceived(Negotiator.java:229) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.timeout.ReadTimeoutHandler.messageReceived(ReadTimeoutHandler.java:184) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.oneone.OneToOneDecoder.handleUpstream(OneToOneDecoder.java:70) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) > at > org.apache.kudu.client.shaded.org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) > at > org.apache.kudu.client.shaded.org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290) > at > sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) > at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790) > at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) > at > org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) > ... 37 more > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392) > at > org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255) > ... 42 more > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: org.bouncycastle.jce.exception.ExtCertPathValidatorException: > Certificate has unsupported critical extension: [2.5.29.37] > at > sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107) > at > org.apache.kudu.client.SecurityContext$DelegatedTrustManager.checkServerTrusted(SecurityContext.java:275) > at > sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:827) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328) > ... 50 more > Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: > Certificate has unsupported critical extension: [2.5.29.37] > at > org.bouncycastle.jce.provider.RFC3280CertPathUtilities.wrapupCertF(Unknown > Source) > at > org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown > Source) > at > java.security.cert.CertPathValidator.validate(CertPathValidator.java:279) > at > sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) > ... 58 more > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)