io.netty.handler.ssl.NotSslRecordException

There are no available Samebug tips for this exception. Do you have an idea how to solve this issue? A short tip would help users who saw this issue last week.

  • {{cqlsh --ssl}} does not work with python 2.6.9. Please refer to [CASSANDRA-7973|https://issues.apache.org/jira/browse/CASSANDRA-7973] for full details. The reason is that SSLSocket in ssl.py does not override connect_ex() in 2.6.x. So the server throws this exception: {code} INFO 05:07:23 Unexpected exception during request; channel = [id: 0x6ce43cee, /127.0.0.1:37617 => /127.0.0.1:9042] io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 030000000500000000 at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:860) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollSocketChannel$EpollSocketUnsafe.epollInReady(EpollSocketChannel.java:722) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:326) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:264) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] {code} You can also verify it with openssl, the following commands convert a java keystore called _.keystore_ into an openssl valid certificate and key and then launch a test server that provides debug information, including all the data that it receives: {code} keytool -importkeystore -srckeystore .keystore -destkeystore keystore.p12 -deststoretype PKCS12 openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem openssl s_server -accept 9042 -cert cert.pem -key key.pem -debug {code} Replacing connect_ex() with connect() fixes the problem, for example in the asyncorereactor: {code} stefania@mia:~/git/cstar/python-driver$ git diff diff --git a/cassandra/io/asyncorereactor.py b/cassandra/io/asyncorereactor.py index ef687c3..9abf41c 100644 --- a/cassandra/io/asyncorereactor.py +++ b/cassandra/io/asyncorereactor.py @@ -217,7 +217,8 @@ class AsyncoreConnection(Connection, asyncore.dispatcher): self.connected = False self.connecting = True self.socket.settimeout(1.0) - err = self.socket.connect_ex(address) + self.socket.connect(address) + err = 0 if err in (EINPROGRESS, EALREADY, EWOULDBLOCK) \ or err == EINVAL and os.name in ('nt', 'ce'): raise ConnectionException("Timed out connecting to %s" % (address[0])) {code} Obviously the fix is required for all connections and you need to sort out the err properly The problem does not appear in python 2.7.x because SSLSocket does override connect_ex() as well as connect(). If you decide not to support python 2.6.x then you need to update [the documentation|http://datastax.github.io/python-driver/installation.html] as it clearly states 2.6.x at the moment.
    via by Stefania Alborghetti,
  • {{cqlsh --ssl}} does not work with python 2.6.9. Please refer to [CASSANDRA-7973|https://issues.apache.org/jira/browse/CASSANDRA-7973] for full details. The reason is that SSLSocket in ssl.py does not override connect_ex() in 2.6.x. So the server throws this exception: {code} INFO 05:07:23 Unexpected exception during request; channel = [id: 0x6ce43cee, /127.0.0.1:37617 => /127.0.0.1:9042] io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 030000000500000000 at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:860) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollSocketChannel$EpollSocketUnsafe.epollInReady(EpollSocketChannel.java:722) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:326) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:264) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45] {code} You can also verify it with openssl, the following commands convert a java keystore called _.keystore_ into an openssl valid certificate and key and then launch a test server that provides debug information, including all the data that it receives: {code} keytool -importkeystore -srckeystore .keystore -destkeystore keystore.p12 -deststoretype PKCS12 openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem openssl s_server -accept 9042 -cert cert.pem -key key.pem -debug {code} Replacing connect_ex() with connect() fixes the problem, for example in the asyncorereactor: {code} stefania@mia:~/git/cstar/python-driver$ git diff diff --git a/cassandra/io/asyncorereactor.py b/cassandra/io/asyncorereactor.py index ef687c3..9abf41c 100644 --- a/cassandra/io/asyncorereactor.py +++ b/cassandra/io/asyncorereactor.py @@ -217,7 +217,8 @@ class AsyncoreConnection(Connection, asyncore.dispatcher): self.connected = False self.connecting = True self.socket.settimeout(1.0) - err = self.socket.connect_ex(address) + self.socket.connect(address) + err = 0 if err in (EINPROGRESS, EALREADY, EWOULDBLOCK) \ or err == EINVAL and os.name in ('nt', 'ce'): raise ConnectionException("Timed out connecting to %s" % (address[0])) {code} Obviously the fix is required for all connections and you need to sort out the err properly The problem does not appear in python 2.7.x because SSLSocket does override connect_ex() as well as connect(). If you decide not to support python 2.6.x then you need to update [the documentation|http://datastax.github.io/python-driver/installation.html] as it clearly states 2.6.x at the moment.
    via by Stefania Alborghetti,
  • Direct proxy forces SSL
    via GitHub by igorspasic
    ,
  • GitHub comment 1720#225439007
    via GitHub by buchgr
    ,
  • how to start gremlin server with ssl enabled
    via by Kevin Wang,
    • io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 030000000500000000 at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:860)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollSocketChannel$EpollSocketUnsafe.epollInReady(EpollSocketChannel.java:722)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:326)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:264)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116)[netty-all-4.0.23.Final.jar:4.0.23.Final] at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)[netty-all-4.0.23.Final.jar:4.0.23.Final] at java.lang.Thread.run(Thread.java:745)[na:1.8.0_45]

    Users with the same issue

    zbalint
    2 times, last one,
    Toasty
    4 times, last one,
    Unknown visitor1 times, last one,
    Unknown visitor2 times, last one,
    Unknown visitor1 times, last one,