Opened 9 years ago

Closed 5 years ago

#665 closed defect (fixed)

IZ3005: jgdi SSL connections from one client jvm to different SGE cluster might not work

Reported by: rhierlmeier Owned by:
Priority: high Milestone:
Component: sge Version: 6.2
Severity: minor Keywords: Sun jgdi
Cc:

Description

[Imported from gridengine issuezilla http://gridengine.sunsource.net/issues/show_bug.cgi?id=3005]

        Issue #:      3005             Platform:     Sun      Reporter: rhierlmeier (rhierlmeier)
       Component:     gridengine          OS:        All
     Subcomponent:    jgdi             Version:      6.2         CC:    None defined
        Status:       NEW              Priority:     P2
      Resolution:                     Issue type:    DEFECT
                                   Target milestone: ---
      Assigned to:    andre (andre)
      QA Contact:     andre
          URL:
       * Summary:     jgdi SSL connections from one client jvm to different SGE cluster might not work
   Status whiteboard:
      Attachments:

     Issue 3005 blocks:
   Votes for issue 3005:


   Opened: Sun Apr 19 22:34:00 -0700 2009 
------------------------


If in one jvm opens serveral jgdi connections to different qmasters at nearly the same time the SSL certificate validate can fail, even if
valid keystores and certificates are used.

The user see the following error message:

Caused by javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)


The problem is a bug in class com.sun.grid.jgdi.management.SSLHelper. The following member
variables must not be declared static:

public final class SSLHelper {
...
    private static SSLContext ctx;
    private static final GECAKeyManager keyManager = new GECAKeyManager();
    private static final GECATrustManager trustManager = new GECATrustManager();
    private static final Lock lock = new ReentrantLock();
...
}

However they are static and hence each jgdi connection gets the same SSLContext for a short time frame.

This is not a security vulnerability because the SSLContext is mixed up the SSL validation fails always.

Change History (1)

comment:1 Changed 5 years ago by dlove

  • Resolution set to fixed
  • Severity set to minor
  • Status changed from new to closed

AA-2009-04-22-0

Note: See TracTickets for help on using tickets.