[JBoss JIRA] (WFLY-10795) Non-Elytron SSL configuration won't establish secure channel between worker and balancer
5:13 a.m.
[
https://issues.jboss.org/browse/WFLY-10795?page=com.atlassian.jira.plugin...
]
Jan Kašík edited comment on WFLY-10795 at 8/13/18 6:12 AM:
-----------------------------------------------------------
[~rhusar] Thanks for he quick PR! I did some prestesting which didn't go well. During
reload which follows adding security realm and its configuration (authentication and
server identity), following exception shows up:
{code}
08:42:17,822 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread
Pool -- 58) WFLYCTL0013: Operation ("add") failed - address:
([("subsystem" => "modcluster")]): java.lang.IllegalStateException:
java.io.IOException: Keystore was tampered with, or password was incorrect
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:113)
at
org.wildfly.extension.mod_cluster.ProxyConfigurationServiceConfigurator.configure(ProxyConfigurationServiceConfigurator.java:315)
at
org.wildfly.extension.mod_cluster.ModClusterSubsystemServiceHandler.installServices(ModClusterSubsystemServiceHandler.java:79)
at
org.jboss.as.clustering.controller.AddStepHandler.performRuntime(AddStepHandler.java:179)
at
org.jboss.as.controller.AbstractAddStepHandler.performRuntime(AbstractAddStepHandler.java:338)
at
org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:159)
at
org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at
org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:384)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getStore(JSSESocketFactory.java:230)
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeystore(JSSESocketFactory.java:179)
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:251)
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:98)
... 15 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 23 more
{code}
Again, everything works with same configuration in 7.1.
EDIT: Just came to my mind, that this might not be related...
was (Author: jkasik):
[~rhusar] Tanks for he quick PR! I did some prestesting which didn't go well. During
reload which follows adding security realm and its configuration (authentication and
server identity), following exception shows up:
{code}
08:42:17,822 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread
Pool -- 58) WFLYCTL0013: Operation ("add") failed - address:
([("subsystem" => "modcluster")]): java.lang.IllegalStateException:
java.io.IOException: Keystore was tampered with, or password was incorrect
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:113)
at
org.wildfly.extension.mod_cluster.ProxyConfigurationServiceConfigurator.configure(ProxyConfigurationServiceConfigurator.java:315)
at
org.wildfly.extension.mod_cluster.ModClusterSubsystemServiceHandler.installServices(ModClusterSubsystemServiceHandler.java:79)
at
org.jboss.as.clustering.controller.AddStepHandler.performRuntime(AddStepHandler.java:179)
at
org.jboss.as.controller.AbstractAddStepHandler.performRuntime(AbstractAddStepHandler.java:338)
at
org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:159)
at
org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at
org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:384)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getStore(JSSESocketFactory.java:230)
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeystore(JSSESocketFactory.java:179)
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:251)
at
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:98)
... 15 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 23 more
{code}
Again, everything works with same configuration in 7.1.
EDIT: Just came to my mind, that this might not be related...
Non-Elytron SSL configuration won't establish secure channel
between worker and balancer
----------------------------------------------------------------------------------------
Key: WFLY-10795
URL: https://issues.jboss.org/browse/WFLY-10795
Project: WildFly
Issue Type: Bug
Components: mod_cluster
Affects Versions: No Release
Environment: Latest snapshot from ci.wildfly.org
Reporter: Jan Kašík
Assignee: Radoslav Husar
Priority: Blocker
Fix For: 14.0.0.CR1
Attachments: confs.zip
When running scenario, where connection between worker and balancer is secured with SSL,
worker fails to register on balancer.
Worker obviously tries to send INFO commands, though it sends it as a 'plain
text' to a secured channel.
I enabled SSL debugging, and such unsecured-secured communication causes this error:
{code}
09:42:20,456 INFO [stdout] (default I/O-4) Using SSLEngineImpl.
09:42:20,458 INFO [stdout] (default I/O-4) Allow unsafe renegotiation: false
09:42:20,458 INFO [stdout] (default I/O-4) Allow legacy hello messages: true
09:42:20,458 INFO [stdout] (default I/O-4) Is initial handshake: true
09:42:20,459 INFO [stdout] (default I/O-4) Is secure renegotiation: false
09:42:20,459 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
09:42:20,479 INFO [stdout] (default I/O-4) default I/O-4, fatal error: 80: problem
unwrapping net record
09:42:20,480 INFO [stdout] (default I/O-4) javax.net.ssl.SSLException: Unrecognized SSL
message, plaintext connection?
09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT: fatal,
description = internal_error
09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length =
2
09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, called closeInbound()
09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, fatal: engine already closed.
Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, called closeOutbound()
09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()
{code}
What bothers me, that there are no other errors (bad certificate, CLI error...) in log
regarding this. Apart from:
{code}
09:45:42,653 WARN [org.infinispan.topology.ClusterTopologyManagerImpl]
(transport-thread--p14-t16) ISPN000197: Error updating cluster member list:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for
responses for request 6 from wildfly-14.0.0.Beta2-SNAPSHOT-2
at
org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
at
org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
at
org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Suppressed: org.infinispan.util.logging.TraceException
at
org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
at
org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
at
org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
at
org.infinispan.topology.ClusterTopologyManagerImpl.handleClusterView(ClusterTopologyManagerImpl.java:321)
at
org.infinispan.topology.ClusterTopologyManagerImpl.access$500(ClusterTopologyManagerImpl.java:87)
at
org.infinispan.topology.ClusterTopologyManagerImpl$ClusterViewListener.lambda$handleViewChange$0(ClusterTopologyManagerImpl.java:731)
at
org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175)
at
org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37)
at
org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47)
... 1 more
{code}
Configuration using non-Elytron configuration was possible before, hence this is a
regression.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
2842
days inactive
2842
days old
0 comments
1 participants
participants (1)
-
Jan Kašík (JIRA)