Opened 12 years ago
Closed 9 years ago
#665 closed defect (fixed)
IZ3005: jgdi SSL connections from one client jvm to different SGE cluster might not work
Reported by: | rhierlmeier | Owned by: | |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | sge | Version: | 6.2 |
Severity: | minor | Keywords: | Sun jgdi |
Cc: |
Description
[Imported from gridengine issuezilla http://gridengine.sunsource.net/issues/show_bug.cgi?id=3005]
Issue #: 3005 Platform: Sun Reporter: rhierlmeier (rhierlmeier) Component: gridengine OS: All Subcomponent: jgdi Version: 6.2 CC: None defined Status: NEW Priority: P2 Resolution: Issue type: DEFECT Target milestone: --- Assigned to: andre (andre) QA Contact: andre URL: * Summary: jgdi SSL connections from one client jvm to different SGE cluster might not work Status whiteboard: Attachments: Issue 3005 blocks: Votes for issue 3005: Opened: Sun Apr 19 22:34:00 -0700 2009 ------------------------ If in one jvm opens serveral jgdi connections to different qmasters at nearly the same time the SSL certificate validate can fail, even if valid keystores and certificates are used. The user see the following error message: Caused by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848 com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818) com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030) The problem is a bug in class com.sun.grid.jgdi.management.SSLHelper. The following member variables must not be declared static: public final class SSLHelper { ... private static SSLContext ctx; private static final GECAKeyManager keyManager = new GECAKeyManager(); private static final GECATrustManager trustManager = new GECATrustManager(); private static final Lock lock = new ReentrantLock(); ... } However they are static and hence each jgdi connection gets the same SSLContext for a short time frame. This is not a security vulnerability because the SSLContext is mixed up the SSL validation fails always.
Change History (1)
comment:1 Changed 9 years ago by dlove
- Resolution set to fixed
- Severity set to minor
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
AA-2009-04-22-0