[
https://issues.apache.org/jira/browse/IGNITE-22605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maksim Timonin updated IGNITE-22605:
------------------------------------
Description:
There is a flaky test, it actually fails due to the bug.
{code:java}
TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
Case is like as following:
# Start node A
# Try start node B with mismatching certificates (check them in the test)
# Node B doesn't fail but starts new topology.
Logic that leads to the error:
# Node A started
# Node B open socket to node A
# Node B writes sequentially {{IGNITE_HEADER }}to the socket.
# Node A receives the header, fails to handshake and close the connection with
ssl error.
# Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send
{{TcpDiscoveryHandshakeRequest}}
# Socket is closed from node A and then node B decides that node A doesn't
exist
# Node B creates own topology.
To fix this error, in case of SSL enabled the node B should wait for ack from
node A and check it for errors.
was:
There is a flaky test
{code:java}
TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
Connection might close on writing header or message to the open socket. It
might happen due to a recipient ultimately closes connection on SSL handshake.
In a such case sender decides that connection can't be established due to no
alive nodes are exist. It starts creating own topology instead of failing with
SSL error.
Instead, node should additionally check a socket for SSL errors.
> Wrong certificate chain might lead to split brain
> -------------------------------------------------
>
> Key: IGNITE-22605
> URL: https://issues.apache.org/jira/browse/IGNITE-22605
> Project: Ignite
> Issue Type: Bug
> Reporter: Maksim Timonin
> Assignee: Maksim Timonin
> Priority: Major
> Labels: ise
> Fix For: 2.17
>
>
> There is a flaky test, it actually fails due to the bug.
> {code:java}
> TcpDiscoverySslTrustedUntrustedTest#testMismatchingCaFirst{code}
> Case is like as following:
> # Start node A
> # Try start node B with mismatching certificates (check them in the test)
> # Node B doesn't fail but starts new topology.
> Logic that leads to the error:
> # Node A started
> # Node B open socket to node A
> # Node B writes sequentially {{IGNITE_HEADER }}to the socket.
> # Node A receives the header, fails to handshake and close the connection
> with ssl error.
> # Node B doesn't read any ack after sending {{IGNITE_HEADER}} and tries send
> {{TcpDiscoveryHandshakeRequest}}
> # Socket is closed from node A and then node B decides that node A doesn't
> exist
> # Node B creates own topology.
> To fix this error, in case of SSL enabled the node B should wait for ack from
> node A and check it for errors.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
