[jira] [Updated] (ZOOKEEPER-4393) Problem to connect to zookeeper in FIPS mode

Thu, 15 Jun 2023 04:43:04 -0700 


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andor Molnar updated ZOOKEEPER-4393:
------------------------------------
    Fix Version/s: 3.9.0
                   3.8.2

> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
>                 Key: ZOOKEEPER-4393
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.6.3
>            Reporter: Dipesh Kumar Dutta
>            Assignee: Andor Molnar
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.9.0, 3.8.2
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My 
> service is also running in fips mode with security provider 
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting 
> the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN  
> io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to 
> initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException: 
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers 
> may be used
>       at 
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
>       at 
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
>       at 
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is 
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements 
> X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the 
> below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
>     throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers 
> may be used");
> }
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to