cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajani Karuturi <Rajani.Karut...@citrix.com>
Subject Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException: Connection closed with -1 on reading size
Date Fri, 04 Sep 2015 05:24:22 GMT
Nux,
We had the same issue on an internal instance. It turned out to be an issue with java-1.7.0-openjdk.x86_64
1:1.7.0.85-2.6.1.3.el6_7
Downgrading it to java-1.7.0-openjdk.x86_64 1:1.7.0.85-2.6.1.3.el6_6 fixed.

Java version number is same in both the rpms. only the last digit is different. I don’t
understand that format but el6_6 worked fine.

~Rajani



On 31-Aug-2015, at 5:50 pm, Nux! <nux@li.nux.ro<mailto:nux@li.nux.ro>> wrote:

Thanks Milamber,

I'll have to set up a test env for this and follow your advice.

I'll get back with any findings.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro>

----- Original Message -----
From: "Milamber" <milamber@apache.org>
To: dev@cloudstack.apache.org
Sent: Monday, 31 August, 2015 13:13:10
Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL java.io.IOException:
Connection closed with
-1 on reading size

Hello,

Perhaps an issue on SSL/TLS requirement. Check difference of the file
below (now and after the update)

JAVA_HOME/jre/lib/security/java.security

Particularly the keys:
jdk.certpath.disabledAlgorithms
and
jdk.tls.legacyAlgorithms


Also, check the keystore contains the ssl keys with the keytool command (from
the updated packages). Can you read-it, check the key size, etc.

====
Some reference:
http://www.oracle.com/technetwork/java/javase/6u17-141447.html
6861062     java     classes_security     Disable MD2 in certificate
chain validation

http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html
Default x.509 Certificates Have Longer Key Length

Starting from 7u40, the use of x.509 certificates with RSA keys less
than 1024 bits in length is restricted. This restriction is applied via
the Java Security property, jdk.certpath.disabledAlgorithms. The default
value of jdk.certpath.disabledAlgorithms is now as follows:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

In order to avoid the compatibility issue, users who use X.509
certificates with RSA keys less than 1024 bits, are recommended to
update their certificates with stronger keys. As a workaround, at their
own risk, users can adjust the key size to permit smaller key sizes
through the security property jdk.certpath.disabledAlgorithms.

=====



On 31/08/2015 12:11, Nux! wrote:
Rajani,

Yes, you read right.
The rpm changelog shows:
 Tue Jul 28 2015 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.6.0.36-1.13.8.1
- Update tarball to fix TCK regression (PR2565)
- Resolves: rhbz#1235150

* Wed Jul 22 2015 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.6.0.36-1.13.8.0
- Update to IcedTea 1.13.8
- Update no_pr2125.patch to work against new version.
- Resolves: rhbz#1235150

Nothing dramatic, though I do not have permission to read those bugzilla
entries.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
From: "Rajani Karuturi" <rajani@apache.org>
To: dev@cloudstack.apache.org
Sent: Monday, 31 August, 2015 11:59:04
Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init SSL
java.io.IOException: Connection closed with
-1 on reading size
If I am reading it right, java 1.7 has no version change and 1.6 is changed
from 1.6.0.35 to 16.0.36 which caused the failure

Interestingly, I do not see release notes for 1.6.0_36
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

~Rajani

On Mon, Aug 31, 2015 at 4:09 PM, Nux! <nux@li.nux.ro> wrote:

Rajani,

Sure:

Downgrade  java-1.6.0-openjdk-1:1.6.0.35-1.13.7.1.el6_6.x86_64      @base
Downgraded                    1:1.6.0.36-1.13.8.1.el6_7.x86_64
@updates
Downgrade  java-1.7.0-openjdk-1:1.7.0.85-2.6.1.3.el6_6.x86_64
 @updates
Downgraded                    1:1.7.0.85-2.6.1.3.el6_7.x86_64
 @updates
Downgrade  java-1.7.0-openjdk-devel-1:1.7.0.85-2.6.1.3.el6_6.x86_64
@updates
Downgraded                          1:1.7.0.85-2.6.1.3.el6_7.x86_64
@updates

The differences seem trivial and there's always the risk it may not have
been the java change at all doing this, but I do not know what else could
have triggered it.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
From: "Rajani Karuturi" <rajani@apache.org>
To: dev@cloudstack.apache.org
Sent: Monday, 31 August, 2015 11:21:45
Subject: Re: Hypervisors disconnected - java.io.IOException Fail to init
SSL java.io.IOException: Connection closed with
-1 on reading size
Hi Lucian,
Can you share the point release numbers of java before and after the
upgrade? (May be that would help us find the issue.)

~Rajani

On Mon, Aug 31, 2015 at 3:42 PM, Nux! <nux@li.nux.ro> wrote:

A downgrade of both java-1.6.0-openjdk and java-1.7.0-openjdk followed
by
a reboot of the management server seems to have fixed it, but it's not a
solution I like very much.

Anyone has any clues as to what causes that error?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
From: "Nux!" <nux@li.nux.ro>
To: "dev" <dev@cloudstack.apache.org>
Sent: Monday, 31 August, 2015 10:58:16
Subject: Hypervisors disconnected - java.io.IOException Fail to init
SSL
java.io.IOException: Connection closed with -1
on reading size
Hi,

Has anyone seen this before and can translate to English? The logs
don't
say
much, it's obviously SSL related somehow.

The agent says:

java.io.IOException: SSL: Fail to init SSL! java.io.IOException:
Connection
closed with -1 on reading size.
      at com.cloud.utils.nio.NioClient.init(NioClient.java:87)
      at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111)
      at java.lang.Thread.run(Thread.java:745)
2015-08-31 10:27:56,315 INFO  [utils.nio.NioClient]
(Agent-Selector:null)
Connecting to 192.168.168.2:8250

2015-08-31 10:28:06,333 ERROR [utils.nio.NioConnection]
(Agent-Selector:null)
Unable to initialize the threads.
java.io.IOException: SSL: Fail to init SSL! java.io.IOException:
Connection
closed with -1 on reading size.
      at com.cloud.utils.nio.NioClient.init(NioClient.java:87)
      at com.cloud.utils.nio.NioConnection.run(NioConnection.java:111)
      at java.lang.Thread.run(Thread.java:745)

openssl s_client -connect 192.168.168.2:8250 just hangs with
"CONNECTED(00000003)"


This happened after a java openjdk (1.6.0 and 1.7.0) and httpd updates
from
CentOs6.

Obviously the hypervisors are in disconnected state and no VM
operation
is
possible etc.

Thoughts?


--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message