Details
-
Bug
-
Status: Resolved
-
Urgent
-
Resolution: Fixed
-
None
-
Degradation - Performance Bug/Regression
-
Normal
-
Normal
-
User Report
-
All
-
None
-
Description
We recently upgraded our production clusters from 3.11.15 to 4.1.4. We started seeing thousands of msgs "Failed to get peer certificates for peer /x.x.x.x:45796". SSL is enabled but require_client_auth is disabled. This is causing a huge problem for us because cassandra log files are growing very fast as our connections are short live connections, we open more than 1K connections per second and they stay live for 1-2 seconds.
DEBUG [Native-Transport-Requests-2] 2024-03-31 21:26:38,026 ServerConnection.java:140 - Failed to get peer certificates for peer /172.31.2.23:45796
javax.net.ssl.SSLPeerUnverifiedException: peer not verified
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$DefaultOpenSslSession.getPeerCertificateChain(ReferenceCountedOpenSslEngine.java:2414)
at io.netty.handler.ssl.ExtendedOpenSslSession.getPeerCertificateChain(ExtendedOpenSslSession.java:140)
at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:136)
at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:120)
at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:76)
at org.apache.cassandra.transport.Message$Request.execute(Message.java:255)
at org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:166)
at org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:185)
at org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:212)
at org.apache.cassandra.transport.Dispatcher$RequestProcessor.run(Dispatcher.java:109)
at org.apache.cassandra.concurrent.FutureTask$1.call(FutureTask.java:96)
at org.apache.cassandra.concurrent.FutureTask.call(FutureTask.java:61)
at org.apache.cassandra.concurrent.FutureTask.run(FutureTask.java:71)
at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:142)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Our SSL config:
client_encryption_options: enabled: true keystore: /path/to/keystore keystore_password: xxxxx optional: false require_client_auth: false
We should stop throwing this msg when require_client_auth is set to false. Or at least it should be logged in TRACE not DEBUG.
I'm working on preparing a PR.