pinot icon indicating copy to clipboard operation
pinot copied to clipboard
verified publisher icon apache

Apache HttpClient does not respect TLS configuration

Open mgranderath opened this issue 1 year ago • 2 comments

During our attempted upgrade to 1.1.0 we noticed that some calls from the controller to the servers were failing due to TLS issues. We have 2-way TLS configured for our clusters and after investigation it seems like the Apache Http clients do not use the configured key/trust stores but just pickup the system defaults.

Error

2024/06/04 17:00:56.849 WARN [MultiHttpRequest] [async-task-thread-6181] Caught 'javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target' while executing: GET on URL: https://{{server}}/tables/{{table}}/segments/{{segment}}/metadata?columns=
2024/06/04 17:00:56.849 ERROR [CompletionServiceHelper] [grizzly-http-server-6] Connection error . Details: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

mgranderath avatar Jun 19 '24 07:06 mgranderath

This seems to be due to two concrete issues:

  • We are not configuring the SSLConnectionSocketFactory correctly whenever we create a PoolingHttpClientConnectionManager and that defaults to creating the default socket factory
  • There is a bug in the version of the Apache httpcomponents-client that is being used where the default SocketFactory is always used instead of using the SSLConnectionSocketFactory. The bug is located here.

mgranderath avatar Jun 19 '24 10:06 mgranderath

cc @zhtaoxiang @soumitra-st

Jackie-Jiang avatar Jun 20 '24 18:06 Jackie-Jiang

This issue has been resolved and verified against the clusters we are running now. Thank you!

ilamhs avatar Nov 06 '24 20:11 ilamhs