You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Guus der Kinderen (JIRA)" <ji...@apache.org> on 2017/10/07 10:51:02 UTC

[jira] [Updated] (DIRMINA-1072) SslFilter does not account for SSLEngine runtime exceptions

     [ https://issues.apache.org/jira/browse/DIRMINA-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guus der Kinderen updated DIRMINA-1072:
---------------------------------------
    Attachment: sslengine-exception-with-destroy.patch

Ah, I missed that. I've modified the patch, and attached the modification as [^sslengine-exception-with-destroy.patch].

This modification will, upon detecting the failed state, destroy the handler. With outbound done, it's unlikely to be useful anymore.

> SslFilter does not account for SSLEngine runtime exceptions
> -----------------------------------------------------------
>
>                 Key: DIRMINA-1072
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1072
>             Project: MINA
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 2.0.16
>            Reporter: Guus der Kinderen
>         Attachments: sslengine-exception.patch, sslengine-exception-with-destroy.patch
>
>
> Mina's {{SslFilter}} wraps Mina's {{SslHandler}}, which itself wraps Java's {{SSLEngine}}.
> {{SslFilter}} does not catch runtime exceptions that are thrown by {{SSLEngine}} - I am unsure if this is by design.
> Ideally, we'd prevent the engine to get into a state where it can throw such exceptions, but I'm not sure if that's completely feasible.
> None-the-less, I'm here providing an improvement that prevents at least one occurrence of an unchecked exception from being thrown (instead, my patch preemptively throws an {{SSLException}} that is then caught by the exception handling that's already in place).
> An alternative to this fix could be an additional catch block, that handles unchecked exceptions.
> The scenario that is causing the unchecked exception that is caught by this patch, is this:
> * client connects, causes an SslFilter to be initialized, which causes the SSLEngine to begin its handshake
> * server shuts down the input (for instance, for inactivity, or as a side-effect of resource starvation)
> * client sends data
> The corresponding stack trace starts with this:
> {code}java.lang.IllegalStateException: Internal error
>         at sun.security.ssl.SSLEngineImpl.initHandshaker(SSLEngineImpl.java:470)
>         at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1007)
>         at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
>         at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
>         at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624){code}
> Inspiration for this fix was obtain from the Jetty project, notably, this change: https://github.com/eclipse/jetty.project/issues/1228



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)