cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milamber <milam...@apache.org>
Subject Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException: Connection closed with -1 on reading size
Date Mon, 31 Aug 2015 12:13:10 GMT
Hello,

Perhaps an issue on SSL/TLS requirement. Check difference of the file 
below (now and after the update)

JAVA_HOME/jre/lib/security/java.security

Particularly the keys:
jdk.certpath.disabledAlgorithms
and
jdk.tls.legacyAlgorithms


Also, check the keystore contains the ssl keys with the keytool command (from the updated
packages). Can you read-it, check the key size, etc.

====
Some reference:
http://www.oracle.com/technetwork/java/javase/6u17-141447.html
6861062     java     classes_security     Disable MD2 in certificate 
chain validation

http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html
Default x.509 Certificates Have Longer Key Length

Starting from 7u40, the use of x.509 certificates with RSA keys less 
than 1024 bits in length is restricted. This restriction is applied via 
the Java Security property, jdk.certpath.disabledAlgorithms. The default 
value of jdk.certpath.disabledAlgorithms is now as follows:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

In order to avoid the compatibility issue, users who use X.509 
certificates with RSA keys less than 1024 bits, are recommended to 
update their certificates with stronger keys. As a workaround, at their 
own risk, users can adjust the key size to permit smaller key sizes 
through the security property jdk.certpath.disabledAlgorithms.

=====



On 31/08/2015 12:11, Nux! wrote:
> Rajani,
>
> Yes, you read right.
> The rpm changelog shows:
>   Tue Jul 28 2015 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.6.0.36-1.13.8.1
> - Update tarball to fix TCK regression (PR2565)
> - Resolves: rhbz#1235150
>
> * Wed Jul 22 2015 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.6.0.36-1.13.8.0
> - Update to IcedTea 1.13.8
> - Update no_pr2125.patch to work against new version.
> - Resolves: rhbz#1235150
>
> Nothing dramatic, though I do not have permission to read those bugzilla entries.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Rajani Karuturi" <rajani@apache.org>
>> To: dev@cloudstack.apache.org
>> Sent: Monday, 31 August, 2015 11:59:04
>> Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException:
Connection closed with
>> -1 on reading size
>> If I am reading it right, java 1.7 has no version change and 1.6 is changed
>> from 1.6.0.35 to 16.0.36 which caused the failure
>>
>> Interestingly, I do not see release notes for 1.6.0_36
>> http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html
>>
>> ~Rajani
>>
>> On Mon, Aug 31, 2015 at 4:09 PM, Nux! <nux@li.nux.ro> wrote:
>>
>>> Rajani,
>>>
>>> Sure:
>>>
>>> Downgrade  java-1.6.0-openjdk-1:1.6.0.35-1.13.7.1.el6_6.x86_64      @base
>>> Downgraded                    1:1.6.0.36-1.13.8.1.el6_7.x86_64
>>> @updates
>>> Downgrade  java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6.x86_64
>>>   @updates
>>> Downgraded                    1:1.7.0.85-2.6.1.3.el6_7.x86_64
>>>   @updates
>>> Downgrade  java-1.7.0-openjdk-devel-1:1.7.0.85-2.6.1.3.el6_6.x86_64
>>> @updates
>>> Downgraded                          1:1.7.0.85-2.6.1.3.el6_7.x86_64
>>> @updates
>>>
>>> The differences seem trivial and there's always the risk it may not have
>>> been the java change at all doing this, but I do not know what else could
>>> have triggered it.
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
>>> www.nux.ro
>>>
>>> ----- Original Message -----
>>>> From: "Rajani Karuturi" <rajani@apache.org>
>>>> To: dev@cloudstack.apache.org
>>>> Sent: Monday, 31 August, 2015 11:21:45
>>>> Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init
>>> SSL java.io.IOException: Connection closed with
>>>> -1 on reading size
>>>> Hi Lucian,
>>>> Can you share the point release numbers of java before and after the
>>>> upgrade? (May be that would help us find the issue.)
>>>>
>>>> ~Rajani
>>>>
>>>> On Mon, Aug 31, 2015 at 3:42 PM, Nux! <nux@li.nux.ro> wrote:
>>>>
>>>>> A downgrade of both java-1.6.0-openjdk and java-1.7.0-openjdk followed
>>> by
>>>>> a reboot of the management server seems to have fixed it, but it's not
a
>>>>> solution I like very much.
>>>>>
>>>>> Anyone has any clues as to what causes that error?
>>>>>
>>>>> Lucian
>>>>>
>>>>> --
>>>>> Sent from the Delta quadrant using Borg technology!
>>>>>
>>>>> Nux!
>>>>> www.nux.ro
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Nux!" <nux@li.nux.ro>
>>>>>> To: "dev" <dev@cloudstack.apache.org>
>>>>>> Sent: Monday, 31 August, 2015 10:58:16
>>>>>> Subject: Hypervisors disconnected - java.io.IOException Fail to init
>>> SSL
>>>>> java.io.IOException: Connection closed with -1
>>>>>> on reading size
>>>>>> Hi,
>>>>>>
>>>>>> Has anyone seen this before and can translate to English? The logs
>>> don't
>>>>> say
>>>>>> much, it's obviously SSL related somehow.
>>>>>>
>>>>>> The agent says:
>>>>>>
>>>>>> java.io.IOException: SSL: Fail to init SSL! java.io.IOException:
>>>>> Connection
>>>>>> closed with -1 on reading size.
>>>>>>        at com.cloud.utils.nio.NioClient.init(NioClient.java:87)
>>>>>>        at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111)
>>>>>>        at java.lang.Thread.run(Thread.java:745)
>>>>>> 2015-08-31 10:27:56,315 INFO  [utils.nio.NioClient]
>>> (Agent-Selector:null)
>>>>>> Connecting to 192.168.168.2:8250
>>>>>>
>>>>>> 2015-08-31 10:28:06,333 ERROR [utils.nio.NioConnection]
>>>>> (Agent-Selector:null)
>>>>>> Unable to initialize the threads.
>>>>>> java.io.IOException: SSL: Fail to init SSL! java.io.IOException:
>>>>> Connection
>>>>>> closed with -1 on reading size.
>>>>>>        at com.cloud.utils.nio.NioClient.init(NioClient.java:87)
>>>>>>        at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111)
>>>>>>        at java.lang.Thread.run(Thread.java:745)
>>>>>>
>>>>>> openssl s_client -connect 192.168.168.2:8250 just hangs with
>>>>>> "CONNECTED(00000003)"
>>>>>>
>>>>>>
>>>>>> This happened after a java openjdk (1.6.0 and 1.7.0) and httpd updates
>>>>> from
>>>>>> CentOs6.
>>>>>>
>>>>>> Obviously the hypervisors are in disconnected state and no VM
>>> operation
>>>>> is
>>>>>> possible etc.
>>>>>>
>>>>>> Thoughts?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sent from the Delta quadrant using Borg technology!
>>>>>>
>>>>>> Nux!
>>>>>> www.nux.ro


Mime
View raw message