Skip to content
This repository was archived by the owner on Jan 24, 2024. It is now read-only.

[Secure] Replace SslContextFactory with SslContextFactory.Server #570

Merged
jiazhai merged 1 commit into from
Jun 15, 2021
Merged

[Secure] Replace SslContextFactory with SslContextFactory.Server #570

jiazhai merged 1 commit into from
Jun 15, 2021

Conversation

@gaoran10
Copy link
Contributor

@gaoran10 gaoran10 commented Jun 14, 2021

Motivation

The class SslContextFactory is deprecated. If the keystore without certHost, starting SslContextFactory will cause an error.

execute command below without set Common Name.

openssl req -new -x509 -keyout ca-key -out ca-cert -days 365

// Common Name (eg, fully qualified host name) []:sn.com

error logs

00:00:08.086 [pulsar-io-29-13] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@7db0809a(caroot,h=[pulsar.service.com],a=[],w=[]) for SslContextFactory@44abf4db[provider=null,keyStore=file:///Volumes/shit/Workspaces/k8s/pulsar-cluster3/kop-secure5/server.keystore.jks,trustStore=file:///Volumes/shit/Workspaces/k8s/pulsar-cluster3/kop-secure5/server.truststore.jks]
00:00:08.086 [pulsar-io-29-13] INFO  org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@35820c2e(localhost,h=[server],a=[],w=[]) for SslContextFactory@44abf4db[provider=null,keyStore=file:///Volumes/shit/Workspaces/k8s/pulsar-cluster3/kop-secure5/server.keystore.jks,trustStore=file:///Volumes/shit/Workspaces/k8s/pulsar-cluster3/kop-secure5/server.truststore.jks]
00:00:08.087 [pulsar-io-29-13] WARN  io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x04d1cbb6, L:/127.0.0.1:9093 - R:/127.0.0.1:56652]
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1289) ~[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1271) ~[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:373) ~[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:244) ~[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
	at io.streamnative.pulsar.handlers.kop.utils.ssl.SSLUtils.createSslEngine(SSLUtils.java:252) ~[?:?]
	at io.streamnative.pulsar.handlers.kop.KafkaChannelInitializer.initChannel(KafkaChannelInitializer.java:84) ~[?:?]
	at io.streamnative.pulsar.handlers.kop.KafkaChannelInitializer.initChannel(KafkaChannelInitializer.java:34) ~[?:?]
	at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:938) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [io.netty-netty-common-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [io.netty-netty-common-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500) [io.netty-netty-transport-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [io.netty-netty-common-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [io.netty-netty-common-4.1.63.Final.jar:4.1.63.Final]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty-netty-common-4.1.63.Final.jar:4.1.63.Final]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_261]

Modification

Replace SslContextFactory with SslContextFactory.Server and add new test with new certificates.

@jiazhai jiazhai merged commit a6356b9 into master Jun 15, 2021
@jiazhai jiazhai deleted the gaoran/replace-ssl-context-factory-with-server branch June 15, 2021 01:31
@BewareMyPower BewareMyPower mentioned this pull request Jul 6, 2021
Merged
BewareMyPower added a commit that referenced this pull request Jul 6, 2021
@BewareMyPower
[branch-2.7.2] Fix bundle unload and SSL connection bug (#600)
fa65715 
This PR migrates #404 #570 and because it's too hard to cherry-pick them.

In addition, since Pulsar 2.7.2.6 introduced API changes but it only affected some unused classes that were removed from master branch in #387, this PR removed them so that KoP 2.7.2.6 can keep compatible with Pulsar 2.7.0.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower BewareMyPower is a code owner

1 more reviewer

@jiazhai jiazhai jiazhai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gaoran10 @jiazhai