DataStax Help Center

Unable to use SSL with java 7 on latest Ubuntu

Brief Description

There is a known issue when enabling ssl encryption on clusters running java 7 and versions of ubuntu with the latest security updates. Specifically, an issue has been discovered when OpsCenter attempts to connect to an SSL enabled DSE server (client to node encryption). The solution is to upgrade any affected clusters to java 8. 

Background

Ubuntu has released a security update to all of it's current releases to address some known SSL related security exploits. The ubuntu security notes are here:

http://www.ubuntu.com/usn/usn-2959-1/

This security update will prevent openssl from allowing keys smaller than 1024 bytes for security reasons. Java 7 defaults to a key size of 768 which causes ssl handshakes to fail. This issue is known to affect OpsCenter and may possibly manifest itself in other areas as well. 

In OpsCenter, the bug will cause the following errors to display in each log:

OpsCenter

2016-05-06 15:01:51+0000 [wk_dev] WARN: HTTP request https://52.71.125.153:61621/dse-performance-status? failed: [<twisted.python.failure.Failure <class 'OpenSSL.SSL.Error'>>]
2016-05-06 15:01:51+0000 [wk_dev] ERROR: Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/opscenterd/WebServer.py", line 3530, in ServicesController
AgentRequestFailure: Failed query to https://52.71.125.153:61621/dse-performance-status? : [<twisted.python.failure.Failure <class 'OpenSSL.SSL.Error'>>]

Agent

WARN [qtp1011149982-127934] 2016-05-06 15:00:00,099 javax.net.ssl.SSLException: Received fatal alert: handshake_failure

Workaround

This bug should only affect users who meet the following requirements:

  • Running agents with Java 7
  • Running DSE 4.6/4.7/4.8
  • Running Ubuntu
  • Have applied the ubuntu security patches from May 2016
  • Have client to node encryption enabled

If you fall into this category, the workaround is to upgrade the version of java the agents are using to java 8. If you are on any release newer than 4.6.5, DSE will support java 8 and it can be upgraded across the system for both DSE and agents. If you are on a release before 4.6.5 or are uncomfortable upgrading the version of java DSE is using, you can install java 8 separately and use that only for agents without changing DSE. Instructions for pointing agents at a specific java install are here:

http://docs.datastax.com/en/latest-opscenter/opsc/install/opscCustomVariables_t.html

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk