accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ACCUMULO-3065) Improve client and server diagnostics when mismatched SSL configuration
Date Mon, 18 Aug 2014 17:30:18 GMT
Josh Elser created ACCUMULO-3065:
------------------------------------

             Summary: Improve client and server diagnostics when mismatched SSL configuration
                 Key: ACCUMULO-3065
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3065
             Project: Accumulo
          Issue Type: Improvement
          Components: client, rpc
    Affects Versions: 1.6.0
            Reporter: Josh Elser


While playing with SSL configured RPC, I often found myself in the situation where I would
deploy a secure Accumulo without setting up {{.accumulo/config}}, or have my client set up
to connect with SSL, and the server was running unencrypted RPC.

The former isn't too bad, but you get this very unintuitive error about "Server: XXX.XXX.XXX.XXX
had twenty failures in the past..." after a few seconds. It's not straightforward in saying
"the server requires SSL, but you didn't provide SSL credentials".

The bad side is when the client is providing SSL and the server is not expecting it. Because
of the very quick retry on a failed connection by the client, getting a Connector can act
as a denial of service attack against the tserver, quickly causing it to OOME.

Backing off on the client-side retries would be desirable, in addition to adding some more
"smarts" so that the client can know the difference between a handshake failure and a general
server error.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message