Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Avro >> mail # user >> Re: AVRO and SSL/TLS IPC calls


Copy link to this message
-
Re: AVRO and SSL/TLS IPC calls
Hi Connor, all,

thanks for your reply. However, I am trying to use the Netty protocol +
enforcing mutual authentication under TLS v1.2. I am almost there... but
I am stuck with an error that is difficult to debug and maybe, guys, you
have some more insights.

Following this example:

  * http://svn.apache.org/repos/asf/avro/trunk/lang/java/ipc/src/test/java/org/apache/avro/ipc/TestNettyServerWithSSL.java

I am trying to build a small toolkit that will make secure communication
between the requestor and the responder easy to deploy. For doing that,
I have some working code that initializes a keystore and uses that for
the source of trust, here's part of the code:

      // Instantiates a new responder
     Responder responder = new SpecificResponder(m_protoClass, m_protoHandler);

     // Gets a new Channel Factory
     ChannelFactory channelFactory = new NioServerSocketChannelFactory(Executors.newCachedThreadPool(), Executors.newCachedThreadPool());

     // Gets the responder
     //
     // NOTE:
     //
     // The m_trustManager is a helper class that extends NioClientSocketChannelFactory and
     // implements X509TrustManager, ChannelPipelineFactory, ChannelFactory

     m_server = new NettyServer(responder, new InetSocketAddress(m_host, m_port),
         channelFactory, (ChannelPipelineFactory) m_trustManager, null);

Internally the TrustManager implements the "*public ChannelPipeline
getPipeline()*" method as follows:

     // We need to get the pipeline
     ChannelPipeline pipeline = Channels.pipeline();

     // Set up key manager factory to use our key store
     String algor = Security.getProperty("ssl.KeyManagerFactory.algorithm");
     if (algor == null) algor = "SunX509";

     KeyManagerFactory kmf = KeyManagerFactory.getInstance(algor);
     kmf.init(m_keyStore, null);
        
     // Now let's instantiate a new SSLContext and initialize it with the
     // initialized KeyManagers
     SSLContext serverContext = SSLContext.getInstance("TLSv1.2");
     serverContext.init(kmf.getKeyManagers(), null, null);
        
     // Let's create an SSLContext from which we will derive the SSLEngine
     SSLEngine sslEngine = serverContext.createSSLEngine();

     // DEBUGGING code that prints out the supported and enabled Ciphersuites
     System.out.println("TrustManager::SERVER Mode::Supported Ciphersuites:");
     String[] sCipher = sslEngine.getSupportedCipherSuites();
     for (int i = 0; i < sCipher.length; i++)
     {
        System.out.println("- " + sCipher[i]);
     }
     String[] eCipher = sslEngine.getEnabledCipherSuites();
     System.out.println("TrustManager::SERVER Mode::Enabled Ciphersuites:: ");
     for (int i = 0; i < eCipher.length; i++)
     {
       System.out.println("- " + eCipher[i]);
     }

     // Set Client / Server Mode. This is needed by the application to send
     // the right messages
     sslEngine.setUseClientMode(false);

     // Adds a new SslHandler that uses the instantiated SSLEngine to the pipeline
     pipeline.addLast("ssl", new SslHandler(sslEngine));

     // Return the pipeline
     return pipeline;

everything seems to be working fine, until the client tries to connect
to the server - at that point, the server replies that there are no
common ciphersuites with the client and exists. I also tried to connect
with OpenSSL, but I get the same type of error from the server.

There is definitely something I am forgetting in the initialization of
the server, probably, but I can't find what. Here's the trace:

607 [pool-5-thread-1] INFO org.apache.avro.ipc.NettyServer - [id: 0x21c61075, /127.0.0.1:47913 => /127.0.0.1:65000] OPEN
608 [pool-6-thread-1] INFO org.apache.avro.ipc.NettyServer - [id: 0x21c61075, /127.0.0.1:47913 => /127.0.0.1:65000] BOUND: /127.0.0.1:65000
608 [pool-6-thread-1] INFO org.apache.avro.ipc.NettyServer - [id: 0x21c61075, /127.0.0.1:47913 => /127.0.0.1:65000] CONNECTED: /127.0.0.1:47913
631 [pool-6-thread-1] WARN org.apache.avro.ipc.NettyServer - Unexpected exception from downstream.
*javax.net.ssl.SSLHandshakeException: no cipher suites in common*
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:938)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:656)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:286)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:208)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:94)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.processSelectedKeys(AbstractNioWorker.java:364)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:238)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:38)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
*Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common*
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1630)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
at sun.security.ssl.ServerHandshaker.pr
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB