[ https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andor Molnar updated ZOOKEEPER-4393: ------------------------------------ Fix Version/s: 3.9.0 3.8.2 > Problem to connect to zookeeper in FIPS mode > -------------------------------------------- > > Key: ZOOKEEPER-4393 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393 > Project: ZooKeeper > Issue Type: Bug > Components: security > Affects Versions: 3.6.3 > Reporter: Dipesh Kumar Dutta > Assignee: Andor Molnar > Priority: Major > Labels: pull-request-available > Fix For: 3.9.0, 3.8.2 > > Time Spent: 10m > Remaining Estimate: 0h > > In my environment zookeeper is running in fips mode of 3 node cluster. My > service is also running in fips mode with security provider > org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > And from the my service when I am trying to connect to zookeeper I am getting > the below error. > {code:java} > 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN > io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to > initialize a channel. Closing: [id: 0xa129ece9] - > org.apache.zookeeper.common.X509Exception$SSLContextException: > java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers > may be used > at > org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386) > at > org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328) > at > org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256) > {code} > The reason is the zookeeper has its own trust manager implementation which is > {code:java} > public class ZKTrustManager extends X509ExtendedTrustManager > {code} > and jdk also provide a trust manager implementation as below. > {code:java} > X509TrustManagerImpl extends X509ExtendedTrustManager implements > X509TrustManager > {code} > Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the > below instance check become false and hence it falls to the exception block. > {code:java} > if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) { > throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers > may be used"); > } > {code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010)