Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2145

Bouncycastle <= 1.52 incompatible with certificates generated by Kudu IPKI

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Information Provided
    • Affects Version/s: 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.4.1
    • Fix Version/s: n/a
    • Component/s: master, security
    • Labels:
      None

      Description

      It appears that bouncycastle, at least in some cases, may be incompatible with the current Kudu master CA implementation. I saw the following exception on a Kudu 1.4 cluster in the Impala catalogd log (catalogd uses the Kudu Java client for DDL operations):

      E0912 11:22:19.658434  6023 TabletClient.java:723] [Peer ] Unexpected exception from downstream on [id: 0x0c7360a9, /10.0.0.1:42103 => host.example.com/10.0.0.2:7051]
      Java exception follows:
      org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.CodecEmbedderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.AbstractCodecEmbedder$EmbeddedChannelPipeline.notifyHandlerException(AbstractCodecEmbedder.java:242)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:566)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder.offer(DecoderEmbedder.java:70)
      	at org.apache.kudu.client.Negotiator.handleTlsMessage(Negotiator.java:449)
      	at org.apache.kudu.client.Negotiator.handleResponse(Negotiator.java:250)
      	at org.apache.kudu.client.Negotiator.messageReceived(Negotiator.java:229)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.timeout.ReadTimeoutHandler.messageReceived(ReadTimeoutHandler.java:184)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.oneone.OneToOneDecoder.handleUpstream(OneToOneDecoder.java:70)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
      	at org.apache.kudu.client.shaded.org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
      	at org.apache.kudu.client.shaded.org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
      	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
      	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
      	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
      	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
      	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
      	... 37 more
      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
      	at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
      	at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
      	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
      	... 42 more
      Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
      	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
      	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
      	at sun.security.validator.Validator.validate(Validator.java:260)
      	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
      	at org.apache.kudu.client.SecurityContext$DelegatedTrustManager.checkServerTrusted(SecurityContext.java:275)
      	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:827)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
      	... 50 more
      Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
      	at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.wrapupCertF(Unknown Source)
      	at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
      	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
      	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
      	... 58 more
      

        Attachments

          Activity

            People

            • Assignee:
              aserbin Alexey Serbin
              Reporter:
              mpercy Mike Percy
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: