[
https://issues.apache.org/jira/browse/ZOOKEEPER-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Istvan Toth updated ZOOKEEPER-4940:
-----------------------------------
Description:
The problem is that ZK uncoditionally calls
*io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does not
support that for the JRE provider.
For JRE OCSP is set in the javax.net.ssl.TrustManager object.
I did not dig deep, but I presume that the OpenSSL provider ignores that, hence
it needs another property.
-To make this even more intersting, this setting doesn't actually do anything
at all in Zookeeper.-
-Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP for
boringSSL, it is only supported by tcnative-
-for OpenSSL.-
-(I guess in theory the consumer could replace the tcnative implementation, in
which case it would work as intended)-
{noformat}
[zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0] 2025-06-18
04:06:01,013 [myid:] - WARN
[zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] -
zookeeper.ssl.keyStore.location not specified
2025-06-18 04:06:01,074 [myid:] - WARN
[zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to
initialize a channel. Closing: [id: 0x1fac3cf9]
java.lang.IllegalArgumentException: OCSP is not supported with this
SslProvider: JDK
at
io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
at
io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
at
org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
at
io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at
io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at
io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
at
io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
at
io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
at
io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
at
io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
at
io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
at
io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
at
io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
at
io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
at
io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
at
io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
at
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
{noformat}
was:
The problem is that ZK uncoditionally calls
*io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does not
support that for the JRE provider.
For JRE OCSP is set in the javax.net.ssl.TrustManager object.
I did not dig deep, but I presume that the OpenSSL provider ignores that, hence
it needs another property.
To make this even more intersting, this setting doesn't actually do anything
at all in Zookeeper.
Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP for
boringSSL, it is only supported by tcnative
for OpenSSL.
(I guess in theory the consumer could replace the tcnative implementation, in
which case it would work as intended)
{noformat}
[zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0] 2025-06-18
04:06:01,013 [myid:] - WARN
[zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] -
zookeeper.ssl.keyStore.location not specified
2025-06-18 04:06:01,074 [myid:] - WARN
[zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to
initialize a channel. Closing: [id: 0x1fac3cf9]
java.lang.IllegalArgumentException: OCSP is not supported with this
SslProvider: JDK
at
io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
at
io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
at
org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
at
org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
at
io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at
io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at
io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
at
io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
at
io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
at
io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
at
io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
at
io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
at
io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
at
io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
at
io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
at
io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
at
io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
at
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
{noformat}
> Enabling zookeeper.ssl.ocsp with JRE TLS provider errors out
> ------------------------------------------------------------
>
> Key: ZOOKEEPER-4940
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4940
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.10.0, 3.9.3
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Major
> Labels: pull-request-available
> Time Spent: 3h
> Remaining Estimate: 0h
>
> The problem is that ZK uncoditionally calls
> *io.netty.handler.ssl.SslContextBuilder.enableOcsp(boolean)*
> when _zookeeper.ssl.ocsp_ is set to true, even though Netty explicitly does
> not support that for the JRE provider.
> For JRE OCSP is set in the javax.net.ssl.TrustManager object.
> I did not dig deep, but I presume that the OpenSSL provider ignores that,
> hence it needs another property.
> -To make this even more intersting, this setting doesn't actually do anything
> at all in Zookeeper.-
> -Zookeeper use netty-tcnative-boringssl-static , but this method is a NoOP
> for boringSSL, it is only supported by tcnative-
> -for OpenSSL.-
> -(I guess in theory the consumer could replace the tcnative implementation,
> in which case it would work as intended)-
> {noformat}
> [zk: ccycloud-1.nightly7310-og.root.comops.site:2182(CONNECTING) 0]
> 2025-06-18 04:06:01,013 [myid:] - WARN
> [zkNetty-EpollEventLoopGroup-1-1:o.a.z.c.ClientX509Util@72] -
> zookeeper.ssl.keyStore.location not specified
> 2025-06-18 04:06:01,074 [myid:] - WARN
> [zkNetty-EpollEventLoopGroup-1-1:i.n.c.ChannelInitializer@97] - Failed to
> initialize a channel. Closing: [id: 0x1fac3cf9]
> java.lang.IllegalArgumentException: OCSP is not supported with this
> SslProvider: JDK
> at
> io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:837)
> at
> io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:648)
> at
> org.apache.zookeeper.common.ClientX509Util.createNettySslContextForClient(ClientX509Util.java:93)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initSSL(ClientCnxnSocketNetty.java:449)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:438)
> at
> org.apache.zookeeper.ClientCnxnSocketNetty$ZKClientPipelineFactory.initChannel(ClientCnxnSocketNetty.java:424)
> at
> io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
> at
> io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
> at
> io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
> at
> io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
> at
> io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
> at
> io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
> at
> io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
> at
> io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
> at
> io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
> at
> io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:408)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Thread.java:750)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
