PXF Connection to Dell ECS Fails with "Unsupported or unrecognized SSL message"
search cancel

PXF Connection to Dell ECS Fails with "Unsupported or unrecognized SSL message"

book

Article ID: 440986

calendar_today

Updated On:

Products

VMware Tanzu Data Suite

Issue/Introduction

Issue Symptoms

When attempting to access a Dell ECS S3 bucket via Greenplum PXF using the s3a protocol on port 9020, queries fail and return the following SSL exception:

ERROR:  PXF server error : getFileStatus on s3a://#####/#####.csv: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Unsupported or unrecognized SSL message:    software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Unsupported or unrecognized SSL message: Unsupported or unrecognized SSL message  (seg3 ##.##.##.##:#### pid=12345)
...
Caused by: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
        at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:457)
...

Note: The connection may have previously succeeded when using the older, deprecated s3:// protocol via the legacy Greenplum S3 extension.

 

Environment

Environment

  • Database: Greenplum Database

  • Component: Platform Extension Framework (PXF)

  • Storage: Dell ECS S3

  • Protocol: S3A (s3a://)

Cause

Root Cause

This error occurs due to a protocol mismatch on the target port.

According to Dell ECS architecture, port 9020 is explicitly reserved for unencrypted HTTP traffic, whereas port 9021 is reserved for secure HTTPS traffic.

Because the PXF s3a connector defaults to using HTTPS, it attempts to initiate a secure TLS/SSL handshake on port 9020. The ECS server responds with a plain HTTP message, which the Java SSL socket cannot parse, resulting in the Unsupported or unrecognized SSL message error. The legacy s3:// protocol succeeded previously because it defaulted to plain HTTP.

Resolution

Resolution

To resolve this issue, you must align the PXF S3A configuration with the protocol expected by the ECS port. You can do this by explicitly forcing the PXF connection to use HTTP instead of HTTPS.

Apply the following modifications to your PXF server configuration file (e.g., minio-site.xml or s3-site.xml depending on your server naming convention):

Step 1: Disable SSL for the S3A connection Add the fs.s3a.connection.ssl.enabled property and set it to false:

<property>
    <name>fs.s3a.connection.ssl.enabled</name>
    <value>false</value>
</property>

Step 2: Explicitly define the HTTP scheme in the endpoint (If Step 1 is insufficient) If the endpoint property does not specify a protocol scheme, update the fs.s3a.endpoint to explicitly include the http:// prefix:

<property>
    <name>fs.s3a.endpoint</name>
    <value>http://<ECS_SERVER>:9020</value>
</property>

Step 3: Sync and Restart PXF After saving the changes to your configuration file, you must sync the configuration across the Greenplum cluster and restart the PXF service for the changes to take effect:

pxf cluster sync
pxf cluster restart

(Alternatively, if your security policies require an encrypted connection, change the endpoint port in your PXF configuration from 9020 to 9021 and ensure SSL remains enabled.)

Powered by Wolken Software