[jira] [Commented] (ZOOKEEPER-4393) Problem to connect to zookeeper in FIPS mode

Mon, 25 Apr 2022 11:30:05 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17527704#comment-17527704
 ] 

Guy Pascarella commented on ZOOKEEPER-4393:
-------------------------------------------

[~edipesh19], I checked out your PR and noticed it fails a bunch of unit tests. 
Do you have an update that fixes those or adds a unit test showing this fix 
working?

> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
>                 Key: ZOOKEEPER-4393
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.6.3
>            Reporter: Dipesh Kumar Dutta
>            Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My 
> service is also running in fips mode with security provider 
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting 
> the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN  
> io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to 
> initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException: 
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers 
> may be used
>       at 
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
>       at 
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
>       at 
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is 
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements 
> X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the 
> below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
>     throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers 
> may be used");
> }
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to