You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2017/10/06 23:28:00 UTC
[jira] [Commented] (DIRMINA-1072) SslFilter does not account for
SSLEngine runtime exceptions
[ https://issues.apache.org/jira/browse/DIRMINA-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16195423#comment-16195423 ]
Emmanuel Lecharny commented on DIRMINA-1072:
--------------------------------------------
Sadly, the patch causes one of the test to fail :
{code:java}
testTCPWithSSL(org.apache.mina.example.echoserver.ConnectorTest) Time elapsed: 11.635 sec <<< FAILURE!
java.lang.AssertionError: expected:<160> but was:<0>
at org.junit.Assert.fail(Assert.java:88)
at org.junit.Assert.failNotEquals(Assert.java:834)
at org.junit.Assert.assertEquals(Assert.java:645)
at org.junit.Assert.assertEquals(Assert.java:631)
at org.apache.mina.example.echoserver.ConnectorTest.waitForResponse(ConnectorTest.java:220)
at org.apache.mina.example.echoserver.ConnectorTest.testConnector0(ConnectorTest.java:190)
at org.apache.mina.example.echoserver.ConnectorTest.testConnector(ConnectorTest.java:139)
at org.apache.mina.example.echoserver.ConnectorTest.testConnector(ConnectorTest.java:102)
at org.apache.mina.example.echoserver.ConnectorTest.testTCPWithSSL(ConnectorTest.java:89)
{code}
> SslFilter does not account for SSLEngine runtime exceptions
> -----------------------------------------------------------
>
> Key: DIRMINA-1072
> URL: https://issues.apache.org/jira/browse/DIRMINA-1072
> Project: MINA
> Issue Type: Bug
> Components: SSL
> Affects Versions: 2.0.16
> Reporter: Guus der Kinderen
> Attachments: sslengine-exception.patch
>
>
> Mina's {{SslFilter}} wraps Mina's {{SslHandler}}, which itself wraps Java's {{SSLEngine}}.
> {{SslFilter}} does not catch runtime exceptions that are thrown by {{SSLEngine}} - I am unsure if this is by design.
> Ideally, we'd prevent the engine to get into a state where it can throw such exceptions, but I'm not sure if that's completely feasible.
> None-the-less, I'm here providing an improvement that prevents at least one occurrence of an unchecked exception from being thrown (instead, my patch preemptively throws an {{SSLException}} that is then caught by the exception handling that's already in place).
> An alternative to this fix could be an additional catch block, that handles unchecked exceptions.
> The scenario that is causing the unchecked exception that is caught by this patch, is this:
> * client connects, causes an SslFilter to be initialized, which causes the SSLEngine to begin its handshake
> * server shuts down the input (for instance, for inactivity, or as a side-effect of resource starvation)
> * client sends data
> The corresponding stack trace starts with this:
> {code}java.lang.IllegalStateException: Internal error
> at sun.security.ssl.SSLEngineImpl.initHandshaker(SSLEngineImpl.java:470)
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1007)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624){code}
> Inspiration for this fix was obtain from the Jetty project, notably, this change: https://github.com/eclipse/jetty.project/issues/1228
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)