Couchbase java SDK 3.3.1 throw the java.lang.NullPointerException if the SSL enabled in FIPS environment

Java SDK
,
1

The Couchbase SDK 3.31 throw the following exceptions in the FIPS-enabled environment. Note that this issue only occurs when SSL is enabled, the SDK works fine when SSL is disabled.
OS: RHEL8.6
we enabled the fips with the below:
fips-mode-setup --enable

01/03/2023 17:47:50.543907 CST cb-events (io) WARNING: [com.couchbase.io][GenericFailureDetectedEvent] Detected Exception in IO Layer: null, Cause: (none) {“coreId”:“0x56977ea700000001”,“local”:“/15.116.78.52:46594”,“remote”:“15.116.70.184/15.116.70.184:11207”}
java.lang.NullPointerException
at com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.startAuthSequence(SaslAuthenticationHandler.java:201)
at com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.channelActive(SaslAuthenticationHandler.java:188)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at com.couchbase.client.core.io.netty.kv.SaslListMechanismsHandler.channelActive(SaslListMechanismsHandler.java:153)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at com.couchbase.client.core.io.netty.kv.ErrorMapLoadingHandler.channelActive(ErrorMapLoadingHandler.java:152)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at com.couchbase.client.core.io.netty.kv.FeatureNegotiatingHandler.channelActive(FeatureNegotiatingHandler.java:168)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at com.couchbase.client.core.deps.io.netty.handler.ssl.SslHandler.channelActive(SslHandler.java:2147)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at com.couchbase.client.core.deps.io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at com.couchbase.client.core.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at com.couchbase.client.core.deps.io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895)
at com.couchbase.client.core.deps.io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe.fulfillConnectPromise(AbstractEpollChannel.java:658)
at com.couchbase.client.core.deps.io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe.finishConnect(AbstractEpollChannel.java:691)
at com.couchbase.client.core.deps.io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe.epollOutReady(AbstractEpollChannel.java:567)
at com.couchbase.client.core.deps.io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:477)
at com.couchbase.client.core.deps.io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:385)
at com.couchbase.client.core.deps.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:995)
at com.couchbase.client.core.deps.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at com.couchbase.client.core.deps.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)

2

Hi @chenming, welcome to the Couchbase Forum!

Your JVM is refusing to create a SASL client for the PLAIN authentication mechanism. When TLS is enabled, the Couchbase Java SDK always uses PLAIN because the channel is already secure.

I looked at the SDK code and did not see a way to force the client to use SCRAM-SHA even when TLS is enabled. Tracking this issue as JVMCBC-1181.

If you have a Couchbase Enterprise Subscription Agreement, please escalate this issue by filing a support ticket referencing JVMCBC-1181.

Thanks,
David

1 Like
3

Thanks for your prompt reply.