Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.6.3
Description
In my environment zookeeper is running in fips mode of 3 node cluster. My service is also running in fips mode with security provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
And from the my service when I am trying to connect to zookeeper I am getting the below error.
2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to initialize a channel. Closing: [id: 0xa129ece9] - org.apache.zookeeper.common.X509Exception$SSLContextException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386) at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328) at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
The reason is the zookeeper has its own trust manager implementation which is
public class ZKTrustManager extends X509ExtendedTrustManager
and jdk also provide a trust manager implementation as below.
X509TrustManagerImpl extends X509ExtendedTrustManager implements X509TrustManager
Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the below instance check become false and hence it falls to the exception block.
if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) { throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may be used"); }
