Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2145

Bouncycastle <= 1.52 incompatible with certificates generated by Kudu IPKI

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Information Provided
    • 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.4.1
    • n/a
    • master, security
    • None

    Description

      It appears that bouncycastle, at least in some cases, may be incompatible with the current Kudu master CA implementation. I saw the following exception on a Kudu 1.4 cluster in the Impala catalogd log (catalogd uses the Kudu Java client for DDL operations):

      E0912 11:22:19.658434  6023 TabletClient.java:723] [Peer ] Unexpected exception from downstream on [id: 0x0c7360a9, /10.0.0.1:42103 => host.example.com/10.0.0.2:7051]
Java exception follows:
org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.CodecEmbedderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.AbstractCodecEmbedder$EmbeddedChannelPipeline.notifyHandlerException(AbstractCodecEmbedder.java:242)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:566)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder.offer(DecoderEmbedder.java:70)
	at org.apache.kudu.client.Negotiator.handleTlsMessage(Negotiator.java:449)
	at org.apache.kudu.client.Negotiator.handleResponse(Negotiator.java:250)
	at org.apache.kudu.client.Negotiator.messageReceived(Negotiator.java:229)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.timeout.ReadTimeoutHandler.messageReceived(ReadTimeoutHandler.java:184)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.oneone.OneToOneDecoder.handleUpstream(OneToOneDecoder.java:70)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
	at org.apache.kudu.client.shaded.org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
	at org.apache.kudu.client.shaded.org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.apache.kudu.client.shaded.org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	... 37 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
	at org.apache.kudu.client.shaded.org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
	... 42 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
	at org.apache.kudu.client.SecurityContext$DelegatedTrustManager.checkServerTrusted(SecurityContext.java:275)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:827)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
	... 50 more
Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Certificate has unsupported critical extension: [2.5.29.37]
	at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.wrapupCertF(Unknown Source)
	at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
	... 58 more

      Attachments

        Activity

          People

            aserbin Alexey Serbin
            mpercy Mike Percy
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: