I am attempting to start up Ignite with TLS mode turned on as described in Ignite's documentation. This is working but when I try to connect a Thin Client the server reports the error below:
Handshake header check failed: 493
I have created a rootCA .pfx file that serves as the KeyStore in the Server's SslContextFactory. The server start's up fine and logs the expected message according to the documentation:
Security status [authentication=off, tls/ssl=on]
The problem comes in when I start a Thin Client with SSL settings. I created a pfx file for the client from the rootCA that is being used as the KeyStore for the server. I specify the path and password to the client's pfx file in the SslStreamFactory for the client. When the client calls Ignition.StartClient() it immediately reports the error below:
Received an unexpected EOF or 0 bytes from the transport stream
At the same time the Server log reports this error:
native error: java.io.IOException: Handshake header check failed: 493 at org.apache.ignite.internal.processors.odbc.ClientMessage.readFrom(ClientMessage.java:186) at org.apache.ignite.internal.processors.odbc.ClientListenerNioMessageParser.decode(ClientListenerNioMessageParser.java:66) at org.apache.ignite.internal.util.nio.GridNioCodecFilter.onMessageReceived(GridNioCodecFilter.java:113) at org.apache.ignite.internal.util.nio.GridNioFilterAdapter.proceedMessageReceived(GridNioFilterAdapter.java:109) at org.apache.ignite.internal.util.nio.GridNioServer$HeadFilter.onMessageReceived(GridNioServer.java:3753) at org.apache.ignite.internal.util.nio.GridNioFilterChain.onMessageReceived(GridNioFilterChain.java:175) at org.apache.ignite.internal.util.nio.GridNioServer$DirectNioClientWorker.processRead(GridNioServer.java:1379) at org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.processSelectedKeysOptimized(GridNioServer.java:2527) at org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.bodyInternal(GridNioServer.java:2282) at org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.body(GridNioServer.java:1911) at org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:125) at java.base/java.lang.Thread.run(Unknown Source)
What is the cause of these errors? When I remove the SslStreamFactory from the Client's configuration it connects without issue.
I was able to get the full stack trace from the client and see that it's failing in the SslStream.AuthenticateAsClient() code:
at System.Net.Security.SslStream.d__1761.MoveNext() at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult() at System.Net.Security.SslStream.d__1751.MoveNext() at System.Net.Security.SslStream.d__172.MoveNext() at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions) at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at Apache.Ignite.Core.Client.SslStreamFactory.Create(Stream stream, String targetHost) at Apache.Ignite.Core.Impl.Client.ClientSocket.GetSocketStream(Socket socket, IgniteClientConfiguration cfg, String host) at Apache.Ignite.Core.Impl.Client.ClientSocket..ctor(IgniteClientConfiguration clientConfiguration, EndPoint endPoint, String host, Nullable1 version, Action1 topVerCallback, Marshaller marshaller) at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.Connect(SocketEndpoint endPoint) at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket.GetNextSocket() at Apache.Ignite.Core.Impl.Client.ClientFailoverSocket..ctor(IgniteClientConfiguration config, Marshaller marsh, TransactionsClient transactions) at Apache.Ignite.Core.Impl.Client.IgniteClient..ctor(IgniteClientConfiguration clientConfiguration) at Apache.Ignite.Core.Ignition.StartClient(IgniteClientConfiguration clientConfiguration)
SSL/TLS is not enabled on the server, so you get the handshake error - the server interprets the client data without encryption.
You have enabled SSL/TLS for inter-node communication, but not for thin client connector.
Please follow the SSL/TLS for Thin Clients and JDBC/ODBC section on the same documentation page.