Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3939

There is not property for private key password. no cipher suites in common

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.5.7
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Zookeeper uses a key store password as a key private password for setting TLS. If we have another password for the private key we receive a strange mistake "no cipher suite in common" which is not clear.
      Full logs:

      2020-08-28 14:32:21,339 [myid:] - ERROR [nioEventLoopGroup-7-2:NettyServerCnxnFactory$CertificateVerifier@363] - Unsuccessful handshake with session 0x0
      2020-08-28 14:32:21,342 [myid:] - DEBUG [nioEventLoopGroup-7-2:NettyServerCnxn@91] - close called for sessionid:0x0
      2020-08-28 14:32:21,343 [myid:] - DEBUG [nioEventLoopGroup-7-2:NettyServerCnxn@103] - cnxns size:0
      nioEventLoopGroup-7-2, called closeOutbound()
      nioEventLoopGroup-7-2, closeOutboundInternal()
      nioEventLoopGroup-7-2, called closeInbound()
      nioEventLoopGroup-7-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
      2020-08-28 14:32:21,348 [myid:] - WARN [nioEventLoopGroup-7-2:NettyServerCnxnFactory$CnxnChannelHandler@220] - Exception caught
      io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
      at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
      at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
      at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
      at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
      at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
      at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
      at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:377)
      at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
      at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
      at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
      at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
      at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
      at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
      at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
      at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
      at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
      at java.lang.Thread.run(Unknown Source)
      Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
      at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
      at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
      at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
      at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
      at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281)
      at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1324)
      at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1219)
      at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1266)
      at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
      at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
      ... 17 more
      Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
      at sun.security.ssl.Alerts.getSSLException(Unknown Source)
      at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
      at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
      at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
      at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
      at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
      at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
      at sun.security.ssl.Handshaker.processLoop(Unknown Source)
      at sun.security.ssl.Handshaker$1.run(Unknown Source)
      at sun.security.ssl.Handshaker$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
      at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1494)
      at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1508)
      at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1392)
      ... 21 more
      

      It happens because of the code:
      https://github.com/apache/zookeeper/blob/4a2d58219b7435c3b8cdf8f7ab04b158c1900223/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L438

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mvsavkin Maks Savkin
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: