Thanks Milamber, I'll have to set up a test env for this and follow your advice.
I'll get back with any findings. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Milamber" <milam...@apache.org> > To: dev@cloudstack.apache.org > Sent: Monday, 31 August, 2015 13:13:10 > Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL > java.io.IOException: Connection closed with > -1 on reading size > Hello, > > Perhaps an issue on SSL/TLS requirement. Check difference of the file > below (now and after the update) > > JAVA_HOME/jre/lib/security/java.security > > Particularly the keys: > jdk.certpath.disabledAlgorithms > and > jdk.tls.legacyAlgorithms > > > Also, check the keystore contains the ssl keys with the keytool command (from > the updated packages). Can you read-it, check the key size, etc. > > ==== > Some reference: > http://www.oracle.com/technetwork/java/javase/6u17-141447.html > 6861062 java classes_security Disable MD2 in certificate > chain validation > > http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html > Default x.509 Certificates Have Longer Key Length > > Starting from 7u40, the use of x.509 certificates with RSA keys less > than 1024 bits in length is restricted. This restriction is applied via > the Java Security property, jdk.certpath.disabledAlgorithms. The default > value of jdk.certpath.disabledAlgorithms is now as follows: > jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 > > In order to avoid the compatibility issue, users who use X.509 > certificates with RSA keys less than 1024 bits, are recommended to > update their certificates with stronger keys. As a workaround, at their > own risk, users can adjust the key size to permit smaller key sizes > through the security property jdk.certpath.disabledAlgorithms. > > ===== > > > > On 31/08/2015 12:11, Nux! wrote: >> Rajani, >> >> Yes, you read right. >> The rpm changelog shows: >> Tue Jul 28 2015 Andrew Hughes <gnu.and...@redhat.com> - 1:1.6.0.36-1.13.8.1 >> - Update tarball to fix TCK regression (PR2565) >> - Resolves: rhbz#1235150 >> >> * Wed Jul 22 2015 Andrew Hughes <gnu.and...@redhat.com> - 1:1.6.0.36-1.13.8.0 >> - Update to IcedTea 1.13.8 >> - Update no_pr2125.patch to work against new version. >> - Resolves: rhbz#1235150 >> >> Nothing dramatic, though I do not have permission to read those bugzilla >> entries. >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro >> >> ----- Original Message ----- >>> From: "Rajani Karuturi" <raj...@apache.org> >>> To: dev@cloudstack.apache.org >>> Sent: Monday, 31 August, 2015 11:59:04 >>> Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL >>> java.io.IOException: Connection closed with >>> -1 on reading size >>> If I am reading it right, java 1.7 has no version change and 1.6 is changed >>> from 1.6.0.35 to 16.0.36 which caused the failure >>> >>> Interestingly, I do not see release notes for 1.6.0_36 >>> http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html >>> >>> ~Rajani >>> >>> On Mon, Aug 31, 2015 at 4:09 PM, Nux! <n...@li.nux.ro> wrote: >>> >>>> Rajani, >>>> >>>> Sure: >>>> >>>> Downgrade java-1.6.0-openjdk-1:1.6.0.35-1.13.7.1.el6_6.x86_64 @base >>>> Downgraded 1:1.6.0.36-1.13.8.1.el6_7.x86_64 >>>> @updates >>>> Downgrade java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6.x86_64 >>>> @updates >>>> Downgraded 1:1.7.0.85-2.6.1.3.el6_7.x86_64 >>>> @updates >>>> Downgrade java-1.7.0-openjdk-devel-1:1.7.0.85-2.6.1.3.el6_6.x86_64 >>>> @updates >>>> Downgraded 1:1.7.0.85-2.6.1.3.el6_7.x86_64 >>>> @updates >>>> >>>> The differences seem trivial and there's always the risk it may not have >>>> been the java change at all doing this, but I do not know what else could >>>> have triggered it. >>>> >>>> -- >>>> Sent from the Delta quadrant using Borg technology! >>>> >>>> Nux! >>>> www.nux.ro >>>> >>>> ----- Original Message ----- >>>>> From: "Rajani Karuturi" <raj...@apache.org> >>>>> To: dev@cloudstack.apache.org >>>>> Sent: Monday, 31 August, 2015 11:21:45 >>>>> Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init >>>> SSL java.io.IOException: Connection closed with >>>>> -1 on reading size >>>>> Hi Lucian, >>>>> Can you share the point release numbers of java before and after the >>>>> upgrade? (May be that would help us find the issue.) >>>>> >>>>> ~Rajani >>>>> >>>>> On Mon, Aug 31, 2015 at 3:42 PM, Nux! <n...@li.nux.ro> wrote: >>>>> >>>>>> A downgrade of both java-1.6.0-openjdk and java-1.7.0-openjdk followed >>>> by >>>>>> a reboot of the management server seems to have fixed it, but it's not a >>>>>> solution I like very much. >>>>>> >>>>>> Anyone has any clues as to what causes that error? >>>>>> >>>>>> Lucian >>>>>> >>>>>> -- >>>>>> Sent from the Delta quadrant using Borg technology! >>>>>> >>>>>> Nux! >>>>>> www.nux.ro >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Nux!" <n...@li.nux.ro> >>>>>>> To: "dev" <dev@cloudstack.apache.org> >>>>>>> Sent: Monday, 31 August, 2015 10:58:16 >>>>>>> Subject: Hypervisors disconnected - java.io.IOException Fail to init >>>> SSL >>>>>> java.io.IOException: Connection closed with -1 >>>>>>> on reading size >>>>>>> Hi, >>>>>>> >>>>>>> Has anyone seen this before and can translate to English? The logs >>>> don't >>>>>> say >>>>>>> much, it's obviously SSL related somehow. >>>>>>> >>>>>>> The agent says: >>>>>>> >>>>>>> java.io.IOException: SSL: Fail to init SSL! java.io.IOException: >>>>>> Connection >>>>>>> closed with -1 on reading size. >>>>>>> at com.cloud.utils.nio.NioClient.init(NioClient.java:87) >>>>>>> at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111) >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> 2015-08-31 10:27:56,315 INFO [utils.nio.NioClient] >>>> (Agent-Selector:null) >>>>>>> Connecting to 192.168.168.2:8250 >>>>>>> >>>>>>> 2015-08-31 10:28:06,333 ERROR [utils.nio.NioConnection] >>>>>> (Agent-Selector:null) >>>>>>> Unable to initialize the threads. >>>>>>> java.io.IOException: SSL: Fail to init SSL! java.io.IOException: >>>>>> Connection >>>>>>> closed with -1 on reading size. >>>>>>> at com.cloud.utils.nio.NioClient.init(NioClient.java:87) >>>>>>> at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111) >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> >>>>>>> openssl s_client -connect 192.168.168.2:8250 just hangs with >>>>>>> "CONNECTED(00000003)" >>>>>>> >>>>>>> >>>>>>> This happened after a java openjdk (1.6.0 and 1.7.0) and httpd updates >>>>>> from >>>>>>> CentOs6. >>>>>>> >>>>>>> Obviously the hypervisors are in disconnected state and no VM >>>> operation >>>>>> is >>>>>>> possible etc. >>>>>>> >>>>>>> Thoughts? >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent from the Delta quadrant using Borg technology! >>>>>>> >>>>>>> Nux! > >>>>>> www.nux.ro
