Details
Description
I am unable to connect to the query service API using TLS and HTTP/2 due to HTTP/2 protocol errors. I can connect OK when using http:// (it's not using HTTP/2 in that case), and I can also connect OK when forcing the use of HTTP/1.1
Issue is reproducible in curl, Go (via Sync Gateway), and Firefox (as Error code: NS_ERROR_NET_INADEQUATE_SECURITY)
I'm running the 6.5.0 beta 2 (Build 4380) on centos7 in a 2 node cluster, and using the default self-signed certificates. The issue is not seen with the same setup under 6.0.3.
I have uploaded cbcollects to here:
- https://s3.amazonaws.com/cb-customers/cb-bbrks/collectinfo-2019-11-20T170223-ns_1%4010.112.195.101.zip
- https://s3.amazonaws.com/cb-customers/cb-bbrks/collectinfo-2019-11-20T170223-ns_1%4010.112.195.102.zip
Let me know if you need any more information! This is reproducible quite easily given the following curl command:
Error seen via cURL
$ curl -kv https://10.112.195.101:18093/query/service
|
* Trying 10.112.195.101...
|
* TCP_NODELAY set
|
* Connected to 10.112.195.101 (10.112.195.101) port 18093 (#0)
|
* ALPN, offering h2
|
* ALPN, offering http/1.1
|
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
|
* successfully set certificate verify locations:
|
* CAfile: /etc/ssl/cert.pem
|
CApath: none
|
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
* TLSv1.2 (IN), TLS handshake, Server hello (2):
|
* TLSv1.2 (IN), TLS handshake, Certificate (11):
|
* TLSv1.2 (IN), TLS handshake, Server finished (14):
|
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
|
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
|
* TLSv1.2 (OUT), TLS handshake, Finished (20):
|
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
|
* TLSv1.2 (IN), TLS handshake, Finished (20):
|
* SSL connection using TLSv1.2 / AES128-SHA
|
* ALPN, server accepted to use h2
|
* Server certificate:
|
* subject: CN=10.112.195.101
|
* start date: Jan 1 00:00:00 2013 GMT
|
* expire date: Dec 31 23:59:59 2049 GMT
|
* issuer: CN=Couchbase Server 2f0b6597
|
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
|
* Using HTTP2, server supports multi-use
|
* Connection state changed (HTTP/2 confirmed)
|
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
|
* Using Stream ID: 1 (easy handle 0x7fb811806600)
|
> GET /query/service HTTP/2
|
> Host: 10.112.195.101:18093
|
> User-Agent: curl/7.54.0
|
> Accept: */*
|
>
|
* http2 error: Remote peer returned unexpected data while we expected SETTINGS frame. Perhaps, peer does not support HTTP/2 properly.
|
* Closing connection 0
|
* TLSv1.2 (OUT), TLS alert, Client hello (1):
|
curl: (16) Error in the HTTP2 framing layer
|
Error not seen via cURL when forcing HTTP/1.1
$ curl --http1.1 -kv https://10.112.195.101:18093/query/service
|
* Trying 10.112.195.101...
|
* TCP_NODELAY set
|
* Connected to 10.112.195.101 (10.112.195.101) port 18093 (#0)
|
* ALPN, offering http/1.1
|
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
|
* successfully set certificate verify locations:
|
* CAfile: /etc/ssl/cert.pem
|
CApath: none
|
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
* TLSv1.2 (IN), TLS handshake, Server hello (2):
|
* TLSv1.2 (IN), TLS handshake, Certificate (11):
|
* TLSv1.2 (IN), TLS handshake, Server finished (14):
|
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
|
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
|
* TLSv1.2 (OUT), TLS handshake, Finished (20):
|
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
|
* TLSv1.2 (IN), TLS handshake, Finished (20):
|
* SSL connection using TLSv1.2 / AES128-SHA
|
* ALPN, server accepted to use http/1.1
|
* Server certificate:
|
* subject: CN=10.112.195.101
|
* start date: Jan 1 00:00:00 2013 GMT
|
* expire date: Dec 31 23:59:59 2049 GMT
|
* issuer: CN=Couchbase Server 2f0b6597
|
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
|
> GET /query/service HTTP/1.1
|
> Host: 10.112.195.101:18093
|
> User-Agent: curl/7.54.0
|
> Accept: */*
|
>
|
< HTTP/1.1 400 Bad Request
|
< Content-Length: 260
|
< Content-Type: application/json; version=2.0.0-N1QL
|
< Date: Wed, 20 Nov 2019 18:25:26 GMT
|
<
|
{
|
"requestID": "2027f72e-d91d-44b0-bd49-cd2c38d7c105",
|
"errors": [{"code":1050,"msg":"No statement or prepared value"}],
|
"status": "fatal",
|
"metrics": {"elapsedTime": "41.047µs","executionTime": "33.959µs","resultCount": 0,"resultSize": 0,"errorCount": 1}
|
}
|
* Connection #0 to host 10.112.195.101 left intact
|
Issue seen from Sync Gateway
2019-11-20T18:21:49.601Z [DBG] RetryLoop retrying GetIndexMeta for index sg_access_x1 after 400 ms.
|
2019-11-20 18:21:50.010634 I | protocol error: received *http2.GoAwayFrame before a SETTINGS frame
|
2019-11-20T18:21:50.010Z [WRN] Error from GetIndexMeta: Post https://10.112.195.101:18093/query/service: connection error: PROTOCOL_ERROR will retry -- base.(*CouchbaseBucketGoCB).GetIndexMeta.func1() at bucket_n1ql.go:293
|
2019-11-20T18:21:50.010Z [DBG] RetryLoop retrying GetIndexMeta for index sg_access_x1 after 800 ms.
|
2019-11-20 18:21:50.814552 I | protocol error: received *http2.GoAwayFrame before a SETTINGS frame
|
2019-11-20T18:21:50.814Z [WRN] Error from GetIndexMeta: Post https://10.112.195.102:18093/query/service: connection error: PROTOCOL_ERROR will retry -- base.(*CouchbaseBucketGoCB).GetIndexMeta.func1() at bucket_n1ql.go:293
|
Attachments
Issue Links
- depends on
-
MB-27595 configure tlsconfig correctly for query service for http/2
- Closed