Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Avro, mail # user - Re: AVRO and SSL/TLS IPC calls

Copy link to this message
Re: AVRO and SSL/TLS IPC calls
Dr. Pala 2013-10-17, 18:42
Hi Connor, all,

thanks for your reply. However, I am trying to use the Netty protocol +
enforcing mutual authentication under TLS v1.2. I am almost there... but
I am stuck with an error that is difficult to debug and maybe, guys, you
have some more insights.

Following this example:

  * http://svn.apache.org/repos/asf/avro/trunk/lang/java/ipc/src/test/java/org/apache/avro/ipc/TestNettyServerWithSSL.java

I am trying to build a small toolkit that will make secure communication
between the requestor and the responder easy to deploy. For doing that,
I have some working code that initializes a keystore and uses that for
the source of trust, here's part of the code:

      // Instantiates a new responder
     Responder responder = new SpecificResponder(m_protoClass, m_protoHandler);

     // Gets a new Channel Factory
     ChannelFactory channelFactory = new NioServerSocketChannelFactory(Executors.newCachedThreadPool(), Executors.newCachedThreadPool());

     // Gets the responder
     // NOTE:
     // The m_trustManager is a helper class that extends NioClientSocketChannelFactory and
     // implements X509TrustManager, ChannelPipelineFactory, ChannelFactory

     m_server = new NettyServer(responder, new InetSocketAddress(m_host, m_port),
         channelFactory, (ChannelPipelineFactory) m_trustManager, null);

Internally the TrustManager implements the "*public ChannelPipeline
getPipeline()*" method as follows:

     // We need to get the pipeline
     ChannelPipeline pipeline = Channels.pipeline();

     // Set up key manager factory to use our key store
     String algor = Security.getProperty("ssl.KeyManagerFactory.algorithm");
     if (algor == null) algor = "SunX509";

     KeyManagerFactory kmf = KeyManagerFactory.getInstance(algor);
     kmf.init(m_keyStore, null);
     // Now let's instantiate a new SSLContext and initialize it with the
     // initialized KeyManagers
     SSLContext serverContext = SSLContext.getInstance("TLSv1.2");
     serverContext.init(kmf.getKeyManagers(), null, null);
     // Let's create an SSLContext from which we will derive the SSLEngine
     SSLEngine sslEngine = serverContext.createSSLEngine();

     // DEBUGGING code that prints out the supported and enabled Ciphersuites
     System.out.println("TrustManager::SERVER Mode::Supported Ciphersuites:");
     String[] sCipher = sslEngine.getSupportedCipherSuites();
     for (int i = 0; i < sCipher.length; i++)
        System.out.println("- " + sCipher[i]);
     String[] eCipher = sslEngine.getEnabledCipherSuites();
     System.out.println("TrustManager::SERVER Mode::Enabled Ciphersuites:: ");
     for (int i = 0; i < eCipher.length; i++)
       System.out.println("- " + eCipher[i]);

     // Set Client / Server Mode. This is needed by the application to send
     // the right messages

     // Adds a new SslHandler that uses the instantiated SSLEngine to the pipeline
     pipeline.addLast("ssl", new SslHandler(sslEngine));

     // Return the pipeline
     return pipeline;

everything seems to be working fine, until the client tries to connect
to the server - at that point, the server replies that there are no
common ciphersuites with the client and exists. I also tried to connect
with OpenSSL, but I get the same type of error from the server.

There is definitely something I am forgetting in the initialization of
the server, probably, but I can't find what. Here's the trace:

607 [pool-5-thread-1] INFO org.apache.avro.ipc.NettyServer - [id: 0x21c61075, / => /] OPEN
608 [pool-6-thread-1] INFO org.apache.avro.ipc.NettyServer - [id: 0x21c61075, / => /] BOUND: /
608 [pool-6-thread-1] INFO org.apache.avro.ipc.NettyServer - [id: 0x21c61075, / => /] CONNECTED: /
631 [pool-6-thread-1] WARN org.apache.avro.ipc.NettyServer - Unexpected exception from downstream.
*javax.net.ssl.SSLHandshakeException: no cipher suites in common*
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:938)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:656)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:286)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:208)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:94)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.processSelectedKeys(AbstractNioWorker.java:364)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:238)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:38)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
*Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common*
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1630)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
at sun.security.ssl.ServerHandshaker.pr