You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@mina.apache.org by Kishore Mokkarala <ki...@gmail.com> on 2023/04/10 11:37:00 UTC
migration from apache mina 2.0.21 to 2.0.23 issue
Hi,
There was a security vulnerability in mina 2.0.21,So we were migrated
from apache mina 2.0.21 to 2.0.23,locally in the dev environment everything
looks good, but in production we are facing connection timeout issue with
the mina version 2.0.23.
For connection set up it was taking 10-20 milliseconds (less than a second)
with the old version (2.0.21).
With the new version even after 40 seconds connection was timed out.
We use the same NioSocketConnector instance for opening 100
parallel connections.
*Question:*
*My query is why it is taking more time more than 40 seconds for opening
the socket with the new version ?*
We are not using https communication.
*Could you please suggest a work around.*
What's happening in the below code is mina is time out after 40 seconds and
also IO session has been created using state machine in separate
threads,both are running in two parallel threads,This issue is not seen
with the mina 2.0.21 version.
*Here is the code snippet.*
private static final ExecutorFilter executorFilter = new
ExecutorFilter(16,32);
StateMachine stateMachine =
StateMachineFactory.getInstance(IoHandlerTransition.class).create(
G10MinaClient.CONNECTED, new G10MinaClient(processor));
IoHandler ioHandler = new
StateMachineProxyBuilder().setStateContextLookup(
new IoSessionStateContextLookup(new StateContextFactory() {
@Override
public StateContext create() {
final G10StateContext stateContext = new
G10StateContext();
stateContext.setStartedTime(new Date());
return stateContext;
}
})).create(IoHandler.class, stateMachine);
NioSocketConnector connector = new NioSocketConnector();
connector.getFilterChain().addLast("LoggingFilter",
G10CaptureService.loggingFilter);
connector.getFilterChain().addLast("codecFilter",
G10CaptureService.probeCodecFilter);
connector.getFilterChain().addLast("executorFilter",
G10CaptureService.executorFilter);
connector.getFilterChain().addLast("gpbMessageFilter",
G10CaptureService.gpbMessageFilter);
connector.getFilterChain().addLast("keepAliveFilter",
G10CaptureService.keepAliveFilter);
connector.setHandler(ioHandler);
ConnectFuture primaryConnectFuture = connector.connect(primaryAddress,
initializer);
if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
//MINA_CLOSE_TIMEOUT is 40 seconds
{
if (handleIOException(searchExpression,
captureHandler)) {
return;
}
LOG.info("{} Apache mina connection setup time out
happend.",
handleConnectionFailed(primaryAddress, captureHandler,
"Primary IP connection timeout");
return;
}
Regards,
M.V.S.Kishore
91-9886412814
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Jonathan Valliere <jo...@apache.org>.
Cool. That was easy.
On Mon, Apr 17, 2023 at 11:05 AM Kishore Mokkarala <ki...@gmail.com>
wrote:
> Thank you all for the help.Here is my SSL implementation for making it work
> with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
>
> public class CustomSslFilter {
> public CustomSslFilter(SSLContext sslContext) {
> super(sslContext);
> }
> //Override CreateEngine
> protected SSLEngine createEngine(IoSession session, InetSocketAddress
> addr) {
> //Add your SNI host name and port in the IOSession
> SNIHostNames = (String)session.getAttribute( SNIHostNames );
> PortNumber = (String)session.getAttribute( PortNumber );
> InetSocketAddress peer =
> InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
> SSLEngine sslEngine = (addr != null) ?
> sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
> : sslContext.createSSLEngine();
>
> // Always start with WANT, which will be squashed by NEED if NEED is
> true.
> // Actually, it makes not a lot of sense to select NEED and WANT.
> NEED >> WANT...
> if (wantClientAuth) {
> sslEngine.setWantClientAuth(true);
> }
>
> if (needClientAuth) {
> sslEngine.setNeedClientAuth(true);
> }
>
> if (enabledCipherSuites != null) {
> sslEngine.setEnabledCipherSuites(enabledCipherSuites);
> }
>
> if (enabledProtocols != null) {
> sslEngine.setEnabledProtocols(enabledProtocols);
> }
>
> sslEngine.setUseClientMode(!session.isServer());
>
> return sslEngine;
> }
> }
>
>
> IoSessionInitializer<ConnectFuture> initializer = new
> IoSessionInitializer<ConnectFuture>() {
>
> @Override
> public void initializeSession(IoSession session, ConnectFuture
> future) {
>
> session.setAttribute( SNIHostNames , "example.com");
> session.setAttribute( PortNumber , 8443);
> }
> };
>
> try {
> NioSocketConnector connector = getConnector();
> ioSession = connector.connect(address,
> initializer).awaitUninterruptibly().getSession();
> } catch (RuntimeIoException eio) {
> initializationException = eio;
> }
>
> ------------------------------------------
> M.V.S.Kishore
> 91-9886412814
>
>
> On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <jo...@apache.org>
> wrote:
>
> > Looking at the code for your existing filter it appears like you’re just
> > trying to create the SSLEngine so it can be reused for subsequent
> > connections by passing in the IP address and Port?
> >
> > This is already a feature in the new filter.
> >
> >
> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
> >
> > If you want to perform any customization during the SSL Engine setup,
> just
> > override createEngine
> >
> >
> > On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <kishore.mvs@gmail.com
> >
> > wrote:
> >
> > > Currently we are using the following custom SSL filter for passing SNI
> > host
> > > name. For doing this we are using PEER_ADDRESS.
> > > This was available in apache mina 2.0.21 SslHandler.java,but this
> > attribute
> > > is not available in 2.2.10.
> > > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP
> address
> > to
> > > which it connects ,but this information is needed for the destination
> > > server.
> > >
> > > *Existing implementation : *
> > >
> > > SslFilter sslFilter;
> > > try {
> > > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> > > * sslFilter = new CustomSslFilter(sslContext); //passing *
> *PEER_ADDRESS
> > > in overridden onPreAdd*.
> > > sslFilter.setUseClientMode(true);
> > > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > LOG.error("Exception during creating SSL context..." +
> > > XError.getStackTrace(e));
> > > }
> > > connector.setHandler(ioHandler);
> > >
> > > *CustomSslFilter.java:*
> > >
> > > public class CustomSslFilter extends SslFilter
> > > {
> > >
> > > public CustomSslFilter(SSLContext sslContext) {
> > > super(sslContext, true);
> > > }
> > >
> > > @Override
> > > public void onPreAdd(IoFilterChain parent, String name,
> > > NextFilter nextFilter) throws SSLException {
> > > // Check that we don't have a SSL filter already present in the
> > > chain
> > > if (parent.contains(SslFilter.class)) {
> > > String msg = "Only one SSL filter is permitted in a
> chain.";
> > > LOGGER.error(msg);
> > > throw new IllegalStateException(msg);
> > > }
> > > IoSession session = parent.getSession();
> > > Provider provider =
> > > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> > > InetSocketAddress probeAddress =
> > > InetSocketAddress.createUnresolved(
> > > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> > > session.setAttribute(PEER_ADDRESS, probeAddress);
> > > super.onPreAdd(parent, name, nextFilter);
> > > }
> > > }
> > >
> > > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
> > did
> > > but it is not working.Please do the needful.
> > > *Question:*
> > > How to pass this sni host name for creating SSLEngine?
> > >
> > > *Here is the new implementation changed as per new Mina 2.2.10 API:*
> > > try{
> > > sslContext = javax.net.ssl.SSLContext.getDefault();
> > > SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> > > List<SNIServerName> sniHostNames = new ArrayList<>();
> > > sniHostNames.add(sniHostName);
> > > SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> > > sslParams.setServerNames(sniHostNames);
> > > sslFilter = new SslFilter(sslContext);
> > > //sslFilter.setUseClientMode(true); //This is not required in 2.2.1
> hence
> > > commented.
> > > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > LOG.error("Exception during creating SSL context..." +
> > > XError.getStackTrace(e));
> > > }
> > > connector.setHandler(ioHandler);
> > >
> > > Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java
> code
> > :
> > >
> > > /* no qualifier */void init() throws SSLException {
> > > if (sslEngine != null) {
> > > // We already have a SSL engine created, no need to create
> a
> > > new one
> > > return;
> > > }
> > > if (LOGGER.isDebugEnabled()) {
> > > LOGGER.debug("{} Initializing the SSL Handler",
> > > sslFilter.getSessionInfo(session));
> > > }
> > > InetSocketAddress peer = (InetSocketAddress)
> > > session.getAttribute(SslFilter.PEER_ADDRESS);
> > > // Create the SSL engine here
> > > if (peer == null) {
> > > sslEngine = sslFilter.sslContext.createSSLEngine();
> > > } else {
> > > sslEngine =
> > > sslFilter.sslContext.createSSLEngine(peer.getHostName(),
> peer.getPort());
> > > }
> > > // Initialize the engine in client mode if necessary
> > > sslEngine.setUseClientMode(sslFilter.isUseClientMode());
> > >
> > >
> > > Regards,
> > > ------------------------------------------
> > > M.V.S.Kishore
> > > 91-9886412814
> > >
> > >
> > > On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <el...@gmail.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > > > > Thanks Emmanuel for the quick response.I have few more questions
> on
> > > the
> > > > > upgrade.Please do the needful.
> > > > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> > > steps
> > > > > do i need to follow ?
> > > >
> > > > There are two pages that explains the diffence between 2.0 and 2.1,
> and
> > > > 2. and 2.2:
> > > > * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> > > > * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> > > >
> > > > The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> > > > session. It's pretty trivial.
> > > >
> > > > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
> > using
> > > > startTLS.
> > > >
> > > > Otherwise, it's pretty straightforward.
> > > >
> > > > ALso note that teh SSL handler has been completeley reworked in 2.2.
> > > >
> > > > > Is it just a jar file change in the classpath or do i need to do
> > any
> > > > more
> > > > > changes ?
> > > >
> > > > It should be just about changing the jar.
> > > >
> > > >
> > > > > Also we are also using https for communication ? in this case what
> > all
> > > > > changes are needed ?
> > > >
> > > > Nothing, AFAICT.
> > > >
> > > > > I have seen there is a change the way we pass the SNI host name in
> > > 2.0.21
> > > > > vs 2.2.1 ?
> > > >
> > > > Hmmm, not that I remeber. Do you have any pointer?
> > > >
> > > > > First of all is it recommended to migrate from 2.0.21 to mina
> 2.2.1
> > ?
> > > >
> > > > Oh yes! Simply because the SSL rewrite was necessary, also because
> 2.2
> > > > branch is clearly the one we maintain.
> > > >
> > > > > will the state machine work without doing any changes ?
> > > >
> > > > It should not have changed.
> > > >
> > > > Hope it helps.
> > > >
> > > > >
> > > > > Regards,
> > > > > ------------------------------------------
> > > > > M.V.S.Kishore
> > > > >
> > > > >
> > > > > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <
> elecharny@gmail.com
> > >
> > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Mina 2.0 branch is pretty old (5 years) and we have made
> significant
> > > > >> changes in the 2.1 and more important the 2.2 branches. You should
> > > > >> seriously consider migrating to 2.2. That being said:
> > > > >>
> > > > >> - 40 seconds to do whatever that was taking a few milliseconds
> > snounds
> > > > >> like a major regression, aka bug.
> > > > >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> > > makes
> > > > >> little sense. The CVE only impacts the HTTP decoder. In other
> words,
> > > if
> > > > >> it's working, don't break it...
> > > > >> - We don't have enough context to tell you what could go wrong in
> > your
> > > > >> code. If you provide some piece of code we can run, we can
> > > investigate,
> > > > >> otherwise it's like shouting in the dark... Typically, we have no
> > clue
> > > > >> about what the gpbMessageFilter does.
> > > > >>
> > > > >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> > > > >>> Hi,
> > > > >>> There was a security vulnerability in mina 2.0.21,So we were
> > migrated
> > > > >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> > > > >> everything
> > > > >>> looks good, but in production we are facing connection timeout
> > issue
> > > > with
> > > > >>> the mina version 2.0.23.
> > > > >>> For connection set up it was taking 10-20 milliseconds (less
> than a
> > > > >> second)
> > > > >>> with the old version (2.0.21).
> > > > >>> With the new version even after 40 seconds connection was timed
> > out.
> > > > >>>
> > > > >>> We use the same NioSocketConnector instance for opening 100
> > > > >>> parallel connections.
> > > > >>>
> > > > >>> *Question:*
> > > > >>> *My query is why it is taking more time more than 40 seconds for
> > > > opening
> > > > >>> the socket with the new version ?*
> > > > >>>
> > > > >>> We are not using https communication.
> > > > >>>
> > > > >>> *Could you please suggest a work around.*
> > > > >>>
> > > > >>> What's happening in the below code is mina is time out after 40
> > > seconds
> > > > >> and
> > > > >>> also IO session has been created using state machine in separate
> > > > >>> threads,both are running in two parallel threads,This issue is
> not
> > > seen
> > > > >>> with the mina 2.0.21 version.
> > > > >>>
> > > > >>> *Here is the code snippet.*
> > > > >>>
> > > > >>> private static final ExecutorFilter executorFilter = new
> > > > >>> ExecutorFilter(16,32);
> > > > >>>
> > > > >>> StateMachine stateMachine =
> > > > >>>
> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> > > > >>> G10MinaClient.CONNECTED, new
> > > > G10MinaClient(processor));
> > > > >>>
> > > > >>> IoHandler ioHandler = new
> > > > >>> StateMachineProxyBuilder().setStateContextLookup(
> > > > >>> new IoSessionStateContextLookup(new
> > > > >> StateContextFactory() {
> > > > >>> @Override
> > > > >>> public StateContext create() {
> > > > >>> final G10StateContext stateContext =
> new
> > > > >>> G10StateContext();
> > > > >>> stateContext.setStartedTime(new
> Date());
> > > > >>> return stateContext;
> > > > >>> }
> > > > >>> })).create(IoHandler.class, stateMachine);
> > > > >>>
> > > > >>> NioSocketConnector connector = new NioSocketConnector();
> > > > >>> connector.getFilterChain().addLast("LoggingFilter",
> > > > >>> G10CaptureService.loggingFilter);
> > > > >>> connector.getFilterChain().addLast("codecFilter",
> > > > >>> G10CaptureService.probeCodecFilter);
> > > > >>> connector.getFilterChain().addLast("executorFilter",
> > > > >>> G10CaptureService.executorFilter);
> > > > >>> connector.getFilterChain().addLast("gpbMessageFilter",
> > > > >>> G10CaptureService.gpbMessageFilter);
> > > > >>> connector.getFilterChain().addLast("keepAliveFilter",
> > > > >>> G10CaptureService.keepAliveFilter);
> > > > >>> connector.setHandler(ioHandler);
> > > > >>> ConnectFuture primaryConnectFuture =
> > > connector.connect(primaryAddress,
> > > > >>> initializer);
> > > > >>> if
> (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> > > > >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> > > > >>> {
> > > > >>>
> > > > >>> if (handleIOException(searchExpression,
> > > > >>> captureHandler)) {
> > > > >>> return;
> > > > >>> }
> > > > >>> LOG.info("{} Apache mina connection setup
> > time
> > > > out
> > > > >>> happend.",
> > > > >>> handleConnectionFailed(primaryAddress,
> > > > >> captureHandler,
> > > > >>> "Primary IP connection timeout");
> > > > >>> return;
> > > > >>> }
> > > > >>>
> > > > >>> Regards,
> > > > >>> M.V.S.Kishore
> > > > >>> 91-9886412814
> > > > >>>
> > > > >>
> > > > >> --
> > > > >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > > >> T. +33 (0)4 89 97 36 50
> > > > >> P. +33 (0)6 08 33 32 61
> > > > >> emmanuel.lecharny@busit.com https://www.busit.com/
> > > > >>
> > > > >>
> > ---------------------------------------------------------------------
> > > > >> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> > > > >> For additional commands, e-mail: users-help@mina.apache.org
> > > > >>
> > > > >>
> > > > >
> > > >
> > > > --
> > > > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > > T. +33 (0)4 89 97 36 50
> > > > P. +33 (0)6 08 33 32 61
> > > > emmanuel.lecharny@busit.com https://www.busit.com/
> > > >
> > >
> >
>
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Kishore Mokkarala <ki...@gmail.com>.
That's fine,you can use this code for 2.0.x -> 2.2.1 documentation.
------------------------------------------
M.V.S.Kishore
91-9886412814
On Mon, 17 Apr 2023 at 20:46, Emmanuel Lécharny <el...@gmail.com> wrote:
> Great!
>
> If you don't mind, I'd like to use this piece of code to document the
> 2.0 -> 2.2 mogration.
>
> Just let me know if it's OK with you !
>
> Thanks!
>
> On 17/04/2023 13:04, Kishore Mokkarala wrote:
> > Thank you all for the help.Here is my SSL implementation for making it
> work
> > with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
> >
> > public class CustomSslFilter {
> > public CustomSslFilter(SSLContext sslContext) {
> > super(sslContext);
> > }
> > //Override CreateEngine
> > protected SSLEngine createEngine(IoSession session, InetSocketAddress
> > addr) {
> > //Add your SNI host name and port in the IOSession
> > SNIHostNames = (String)session.getAttribute( SNIHostNames );
> > PortNumber = (String)session.getAttribute( PortNumber );
> > InetSocketAddress peer =
> > InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
> > SSLEngine sslEngine = (addr != null) ?
> > sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
> > : sslContext.createSSLEngine();
> >
> > // Always start with WANT, which will be squashed by NEED if
> NEED is
> > true.
> > // Actually, it makes not a lot of sense to select NEED and WANT.
> > NEED >> WANT...
> > if (wantClientAuth) {
> > sslEngine.setWantClientAuth(true);
> > }
> >
> > if (needClientAuth) {
> > sslEngine.setNeedClientAuth(true);
> > }
> >
> > if (enabledCipherSuites != null) {
> > sslEngine.setEnabledCipherSuites(enabledCipherSuites);
> > }
> >
> > if (enabledProtocols != null) {
> > sslEngine.setEnabledProtocols(enabledProtocols);
> > }
> >
> > sslEngine.setUseClientMode(!session.isServer());
> >
> > return sslEngine;
> > }
> > }
> >
> >
> > IoSessionInitializer<ConnectFuture> initializer = new
> > IoSessionInitializer<ConnectFuture>() {
> >
> > @Override
> > public void initializeSession(IoSession session,
> ConnectFuture
> > future) {
> >
> > session.setAttribute( SNIHostNames , "example.com");
> > session.setAttribute( PortNumber , 8443);
> > }
> > };
> >
> > try {
> > NioSocketConnector connector = getConnector();
> > ioSession = connector.connect(address,
> > initializer).awaitUninterruptibly().getSession();
> > } catch (RuntimeIoException eio) {
> > initializationException = eio;
> > }
> >
> > ------------------------------------------
> > M.V.S.Kishore
> > 91-9886412814
> >
> >
> > On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <jo...@apache.org>
> wrote:
> >
> >> Looking at the code for your existing filter it appears like you’re just
> >> trying to create the SSLEngine so it can be reused for subsequent
> >> connections by passing in the IP address and Port?
> >>
> >> This is already a feature in the new filter.
> >>
> >>
> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
> >>
> >> If you want to perform any customization during the SSL Engine setup,
> just
> >> override createEngine
> >>
> >>
> >> On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <
> kishore.mvs@gmail.com>
> >> wrote:
> >>
> >>> Currently we are using the following custom SSL filter for passing SNI
> >> host
> >>> name. For doing this we are using PEER_ADDRESS.
> >>> This was available in apache mina 2.0.21 SslHandler.java,but this
> >> attribute
> >>> is not available in 2.2.10.
> >>> This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP
> address
> >> to
> >>> which it connects ,but this information is needed for the destination
> >>> server.
> >>>
> >>> *Existing implementation : *
> >>>
> >>> SslFilter sslFilter;
> >>> try {
> >>> SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> >>> * sslFilter = new CustomSslFilter(sslContext); //passing *
> *PEER_ADDRESS
> >>> in overridden onPreAdd*.
> >>> sslFilter.setUseClientMode(true);
> >>> connector.getFilterChain().addFirst("sslFilter", sslFilter);
> >>> } catch (Exception e) {
> >>> e.printStackTrace();
> >>> LOG.error("Exception during creating SSL context..." +
> >>> XError.getStackTrace(e));
> >>> }
> >>> connector.setHandler(ioHandler);
> >>>
> >>> *CustomSslFilter.java:*
> >>>
> >>> public class CustomSslFilter extends SslFilter
> >>> {
> >>>
> >>> public CustomSslFilter(SSLContext sslContext) {
> >>> super(sslContext, true);
> >>> }
> >>>
> >>> @Override
> >>> public void onPreAdd(IoFilterChain parent, String name,
> >>> NextFilter nextFilter) throws SSLException {
> >>> // Check that we don't have a SSL filter already present in
> the
> >>> chain
> >>> if (parent.contains(SslFilter.class)) {
> >>> String msg = "Only one SSL filter is permitted in a
> chain.";
> >>> LOGGER.error(msg);
> >>> throw new IllegalStateException(msg);
> >>> }
> >>> IoSession session = parent.getSession();
> >>> Provider provider =
> >>> (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> >>> InetSocketAddress probeAddress =
> >>> InetSocketAddress.createUnresolved(
> >>> *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> >>> session.setAttribute(PEER_ADDRESS, probeAddress);
> >>> super.onPreAdd(parent, name, nextFilter);
> >>> }
> >>> }
> >>>
> >>> We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
> >> did
> >>> but it is not working.Please do the needful.
> >>> *Question:*
> >>> How to pass this sni host name for creating SSLEngine?
> >>>
> >>> *Here is the new implementation changed as per new Mina 2.2.10 API:*
> >>> try{
> >>> sslContext = javax.net.ssl.SSLContext.getDefault();
> >>> SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> >>> List<SNIServerName> sniHostNames = new ArrayList<>();
> >>> sniHostNames.add(sniHostName);
> >>> SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> >>> sslParams.setServerNames(sniHostNames);
> >>> sslFilter = new SslFilter(sslContext);
> >>> //sslFilter.setUseClientMode(true); //This is not required in 2.2.1
> hence
> >>> commented.
> >>> connector.getFilterChain().addFirst("sslFilter", sslFilter);
> >>> } catch (Exception e) {
> >>> e.printStackTrace();
> >>> LOG.error("Exception during creating SSL context..." +
> >>> XError.getStackTrace(e));
> >>> }
> >>> connector.setHandler(ioHandler);
> >>>
> >>> Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java
> code
> >> :
> >>>
> >>> /* no qualifier */void init() throws SSLException {
> >>> if (sslEngine != null) {
> >>> // We already have a SSL engine created, no need to
> create a
> >>> new one
> >>> return;
> >>> }
> >>> if (LOGGER.isDebugEnabled()) {
> >>> LOGGER.debug("{} Initializing the SSL Handler",
> >>> sslFilter.getSessionInfo(session));
> >>> }
> >>> InetSocketAddress peer = (InetSocketAddress)
> >>> session.getAttribute(SslFilter.PEER_ADDRESS);
> >>> // Create the SSL engine here
> >>> if (peer == null) {
> >>> sslEngine = sslFilter.sslContext.createSSLEngine();
> >>> } else {
> >>> sslEngine =
> >>> sslFilter.sslContext.createSSLEngine(peer.getHostName(),
> peer.getPort());
> >>> }
> >>> // Initialize the engine in client mode if necessary
> >>> sslEngine.setUseClientMode(sslFilter.isUseClientMode());
> >>>
> >>>
> >>> Regards,
> >>> ------------------------------------------
> >>> M.V.S.Kishore
> >>> 91-9886412814
> >>>
> >>>
> >>> On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <el...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> On 12/04/2023 18:00, Kishore Mokkarala wrote:
> >>>>> Thanks Emmanuel for the quick response.I have few more questions on
> >>> the
> >>>>> upgrade.Please do the needful.
> >>>>> If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> >>> steps
> >>>>> do i need to follow ?
> >>>>
> >>>> There are two pages that explains the diffence between 2.0 and 2.1,
> and
> >>>> 2. and 2.2:
> >>>> * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> >>>> * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> >>>>
> >>>> The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> >>>> session. It's pretty trivial.
> >>>>
> >>>> The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
> >> using
> >>>> startTLS.
> >>>>
> >>>> Otherwise, it's pretty straightforward.
> >>>>
> >>>> ALso note that teh SSL handler has been completeley reworked in 2.2.
> >>>>
> >>>>> Is it just a jar file change in the classpath or do i need to do
> >> any
> >>>> more
> >>>>> changes ?
> >>>>
> >>>> It should be just about changing the jar.
> >>>>
> >>>>
> >>>>> Also we are also using https for communication ? in this case what
> >> all
> >>>>> changes are needed ?
> >>>>
> >>>> Nothing, AFAICT.
> >>>>
> >>>>> I have seen there is a change the way we pass the SNI host name in
> >>> 2.0.21
> >>>>> vs 2.2.1 ?
> >>>>
> >>>> Hmmm, not that I remeber. Do you have any pointer?
> >>>>
> >>>>> First of all is it recommended to migrate from 2.0.21 to mina 2.2.1
> >> ?
> >>>>
> >>>> Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> >>>> branch is clearly the one we maintain.
> >>>>
> >>>>> will the state machine work without doing any changes ?
> >>>>
> >>>> It should not have changed.
> >>>>
> >>>> Hope it helps.
> >>>>
> >>>>>
> >>>>> Regards,
> >>>>> ------------------------------------------
> >>>>> M.V.S.Kishore
> >>>>>
> >>>>>
> >>>>> On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <elecharny@gmail.com
> >>>
> >>>> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> Mina 2.0 branch is pretty old (5 years) and we have made significant
> >>>>>> changes in the 2.1 and more important the 2.2 branches. You should
> >>>>>> seriously consider migrating to 2.2. That being said:
> >>>>>>
> >>>>>> - 40 seconds to do whatever that was taking a few milliseconds
> >> snounds
> >>>>>> like a major regression, aka bug.
> >>>>>> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> >>> makes
> >>>>>> little sense. The CVE only impacts the HTTP decoder. In other words,
> >>> if
> >>>>>> it's working, don't break it...
> >>>>>> - We don't have enough context to tell you what could go wrong in
> >> your
> >>>>>> code. If you provide some piece of code we can run, we can
> >>> investigate,
> >>>>>> otherwise it's like shouting in the dark... Typically, we have no
> >> clue
> >>>>>> about what the gpbMessageFilter does.
> >>>>>>
> >>>>>> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> >>>>>>> Hi,
> >>>>>>> There was a security vulnerability in mina 2.0.21,So we were
> >> migrated
> >>>>>>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> >>>>>> everything
> >>>>>>> looks good, but in production we are facing connection timeout
> >> issue
> >>>> with
> >>>>>>> the mina version 2.0.23.
> >>>>>>> For connection set up it was taking 10-20 milliseconds (less than a
> >>>>>> second)
> >>>>>>> with the old version (2.0.21).
> >>>>>>> With the new version even after 40 seconds connection was timed
> >> out.
> >>>>>>>
> >>>>>>> We use the same NioSocketConnector instance for opening 100
> >>>>>>> parallel connections.
> >>>>>>>
> >>>>>>> *Question:*
> >>>>>>> *My query is why it is taking more time more than 40 seconds for
> >>>> opening
> >>>>>>> the socket with the new version ?*
> >>>>>>>
> >>>>>>> We are not using https communication.
> >>>>>>>
> >>>>>>> *Could you please suggest a work around.*
> >>>>>>>
> >>>>>>> What's happening in the below code is mina is time out after 40
> >>> seconds
> >>>>>> and
> >>>>>>> also IO session has been created using state machine in separate
> >>>>>>> threads,both are running in two parallel threads,This issue is not
> >>> seen
> >>>>>>> with the mina 2.0.21 version.
> >>>>>>>
> >>>>>>> *Here is the code snippet.*
> >>>>>>>
> >>>>>>> private static final ExecutorFilter executorFilter = new
> >>>>>>> ExecutorFilter(16,32);
> >>>>>>>
> >>>>>>> StateMachine stateMachine =
> >>>>>>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> >>>>>>> G10MinaClient.CONNECTED, new
> >>>> G10MinaClient(processor));
> >>>>>>>
> >>>>>>> IoHandler ioHandler = new
> >>>>>>> StateMachineProxyBuilder().setStateContextLookup(
> >>>>>>> new IoSessionStateContextLookup(new
> >>>>>> StateContextFactory() {
> >>>>>>> @Override
> >>>>>>> public StateContext create() {
> >>>>>>> final G10StateContext stateContext = new
> >>>>>>> G10StateContext();
> >>>>>>> stateContext.setStartedTime(new Date());
> >>>>>>> return stateContext;
> >>>>>>> }
> >>>>>>> })).create(IoHandler.class, stateMachine);
> >>>>>>>
> >>>>>>> NioSocketConnector connector = new NioSocketConnector();
> >>>>>>> connector.getFilterChain().addLast("LoggingFilter",
> >>>>>>> G10CaptureService.loggingFilter);
> >>>>>>> connector.getFilterChain().addLast("codecFilter",
> >>>>>>> G10CaptureService.probeCodecFilter);
> >>>>>>> connector.getFilterChain().addLast("executorFilter",
> >>>>>>> G10CaptureService.executorFilter);
> >>>>>>> connector.getFilterChain().addLast("gpbMessageFilter",
> >>>>>>> G10CaptureService.gpbMessageFilter);
> >>>>>>> connector.getFilterChain().addLast("keepAliveFilter",
> >>>>>>> G10CaptureService.keepAliveFilter);
> >>>>>>> connector.setHandler(ioHandler);
> >>>>>>> ConnectFuture primaryConnectFuture =
> >>> connector.connect(primaryAddress,
> >>>>>>> initializer);
> >>>>>>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> >>>>>>> //MINA_CLOSE_TIMEOUT is 40 seconds
> >>>>>>> {
> >>>>>>>
> >>>>>>> if (handleIOException(searchExpression,
> >>>>>>> captureHandler)) {
> >>>>>>> return;
> >>>>>>> }
> >>>>>>> LOG.info("{} Apache mina connection setup
> >> time
> >>>> out
> >>>>>>> happend.",
> >>>>>>> handleConnectionFailed(primaryAddress,
> >>>>>> captureHandler,
> >>>>>>> "Primary IP connection timeout");
> >>>>>>> return;
> >>>>>>> }
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> M.V.S.Kishore
> >>>>>>> 91-9886412814
> >>>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> >>>>>> T. +33 (0)4 89 97 36 50
> >>>>>> P. +33 (0)6 08 33 32 61
> >>>>>> emmanuel.lecharny@busit.com https://www.busit.com/
> >>>>>>
> >>>>>>
> >> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> >>>>>> For additional commands, e-mail: users-help@mina.apache.org
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> >>>> T. +33 (0)4 89 97 36 50
> >>>> P. +33 (0)6 08 33 32 61
> >>>> emmanuel.lecharny@busit.com https://www.busit.com/
> >>>>
> >>>
> >>
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecharny@busit.com https://www.busit.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> For additional commands, e-mail: users-help@mina.apache.org
>
>
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Emmanuel Lécharny <el...@gmail.com>.
Great!
If you don't mind, I'd like to use this piece of code to document the
2.0 -> 2.2 mogration.
Just let me know if it's OK with you !
Thanks!
On 17/04/2023 13:04, Kishore Mokkarala wrote:
> Thank you all for the help.Here is my SSL implementation for making it work
> with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
>
> public class CustomSslFilter {
> public CustomSslFilter(SSLContext sslContext) {
> super(sslContext);
> }
> //Override CreateEngine
> protected SSLEngine createEngine(IoSession session, InetSocketAddress
> addr) {
> //Add your SNI host name and port in the IOSession
> SNIHostNames = (String)session.getAttribute( SNIHostNames );
> PortNumber = (String)session.getAttribute( PortNumber );
> InetSocketAddress peer =
> InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
> SSLEngine sslEngine = (addr != null) ?
> sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
> : sslContext.createSSLEngine();
>
> // Always start with WANT, which will be squashed by NEED if NEED is
> true.
> // Actually, it makes not a lot of sense to select NEED and WANT.
> NEED >> WANT...
> if (wantClientAuth) {
> sslEngine.setWantClientAuth(true);
> }
>
> if (needClientAuth) {
> sslEngine.setNeedClientAuth(true);
> }
>
> if (enabledCipherSuites != null) {
> sslEngine.setEnabledCipherSuites(enabledCipherSuites);
> }
>
> if (enabledProtocols != null) {
> sslEngine.setEnabledProtocols(enabledProtocols);
> }
>
> sslEngine.setUseClientMode(!session.isServer());
>
> return sslEngine;
> }
> }
>
>
> IoSessionInitializer<ConnectFuture> initializer = new
> IoSessionInitializer<ConnectFuture>() {
>
> @Override
> public void initializeSession(IoSession session, ConnectFuture
> future) {
>
> session.setAttribute( SNIHostNames , "example.com");
> session.setAttribute( PortNumber , 8443);
> }
> };
>
> try {
> NioSocketConnector connector = getConnector();
> ioSession = connector.connect(address,
> initializer).awaitUninterruptibly().getSession();
> } catch (RuntimeIoException eio) {
> initializationException = eio;
> }
>
> ------------------------------------------
> M.V.S.Kishore
> 91-9886412814
>
>
> On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <jo...@apache.org> wrote:
>
>> Looking at the code for your existing filter it appears like you’re just
>> trying to create the SSLEngine so it can be reused for subsequent
>> connections by passing in the IP address and Port?
>>
>> This is already a feature in the new filter.
>>
>> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
>>
>> If you want to perform any customization during the SSL Engine setup, just
>> override createEngine
>>
>>
>> On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <ki...@gmail.com>
>> wrote:
>>
>>> Currently we are using the following custom SSL filter for passing SNI
>> host
>>> name. For doing this we are using PEER_ADDRESS.
>>> This was available in apache mina 2.0.21 SslHandler.java,but this
>> attribute
>>> is not available in 2.2.10.
>>> This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address
>> to
>>> which it connects ,but this information is needed for the destination
>>> server.
>>>
>>> *Existing implementation : *
>>>
>>> SslFilter sslFilter;
>>> try {
>>> SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
>>> * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
>>> in overridden onPreAdd*.
>>> sslFilter.setUseClientMode(true);
>>> connector.getFilterChain().addFirst("sslFilter", sslFilter);
>>> } catch (Exception e) {
>>> e.printStackTrace();
>>> LOG.error("Exception during creating SSL context..." +
>>> XError.getStackTrace(e));
>>> }
>>> connector.setHandler(ioHandler);
>>>
>>> *CustomSslFilter.java:*
>>>
>>> public class CustomSslFilter extends SslFilter
>>> {
>>>
>>> public CustomSslFilter(SSLContext sslContext) {
>>> super(sslContext, true);
>>> }
>>>
>>> @Override
>>> public void onPreAdd(IoFilterChain parent, String name,
>>> NextFilter nextFilter) throws SSLException {
>>> // Check that we don't have a SSL filter already present in the
>>> chain
>>> if (parent.contains(SslFilter.class)) {
>>> String msg = "Only one SSL filter is permitted in a chain.";
>>> LOGGER.error(msg);
>>> throw new IllegalStateException(msg);
>>> }
>>> IoSession session = parent.getSession();
>>> Provider provider =
>>> (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
>>> InetSocketAddress probeAddress =
>>> InetSocketAddress.createUnresolved(
>>> *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
>>> session.setAttribute(PEER_ADDRESS, probeAddress);
>>> super.onPreAdd(parent, name, nextFilter);
>>> }
>>> }
>>>
>>> We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
>> did
>>> but it is not working.Please do the needful.
>>> *Question:*
>>> How to pass this sni host name for creating SSLEngine?
>>>
>>> *Here is the new implementation changed as per new Mina 2.2.10 API:*
>>> try{
>>> sslContext = javax.net.ssl.SSLContext.getDefault();
>>> SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
>>> List<SNIServerName> sniHostNames = new ArrayList<>();
>>> sniHostNames.add(sniHostName);
>>> SSLParameters sslParams = sslContext.getDefaultSSLParameters();
>>> sslParams.setServerNames(sniHostNames);
>>> sslFilter = new SslFilter(sslContext);
>>> //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
>>> commented.
>>> connector.getFilterChain().addFirst("sslFilter", sslFilter);
>>> } catch (Exception e) {
>>> e.printStackTrace();
>>> LOG.error("Exception during creating SSL context..." +
>>> XError.getStackTrace(e));
>>> }
>>> connector.setHandler(ioHandler);
>>>
>>> Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code
>> :
>>>
>>> /* no qualifier */void init() throws SSLException {
>>> if (sslEngine != null) {
>>> // We already have a SSL engine created, no need to create a
>>> new one
>>> return;
>>> }
>>> if (LOGGER.isDebugEnabled()) {
>>> LOGGER.debug("{} Initializing the SSL Handler",
>>> sslFilter.getSessionInfo(session));
>>> }
>>> InetSocketAddress peer = (InetSocketAddress)
>>> session.getAttribute(SslFilter.PEER_ADDRESS);
>>> // Create the SSL engine here
>>> if (peer == null) {
>>> sslEngine = sslFilter.sslContext.createSSLEngine();
>>> } else {
>>> sslEngine =
>>> sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
>>> }
>>> // Initialize the engine in client mode if necessary
>>> sslEngine.setUseClientMode(sslFilter.isUseClientMode());
>>>
>>>
>>> Regards,
>>> ------------------------------------------
>>> M.V.S.Kishore
>>> 91-9886412814
>>>
>>>
>>> On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <el...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> On 12/04/2023 18:00, Kishore Mokkarala wrote:
>>>>> Thanks Emmanuel for the quick response.I have few more questions on
>>> the
>>>>> upgrade.Please do the needful.
>>>>> If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
>>> steps
>>>>> do i need to follow ?
>>>>
>>>> There are two pages that explains the diffence between 2.0 and 2.1, and
>>>> 2. and 2.2:
>>>> * https://mina.apache.org/mina-project/2.1-vs-2.0.html
>>>> * https://mina.apache.org/mina-project/2.2-vs-2.1.html
>>>>
>>>> The 2.1 vs 2.0 difference is mainly about the way we detect a secured
>>>> session. It's pretty trivial.
>>>>
>>>> The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
>> using
>>>> startTLS.
>>>>
>>>> Otherwise, it's pretty straightforward.
>>>>
>>>> ALso note that teh SSL handler has been completeley reworked in 2.2.
>>>>
>>>>> Is it just a jar file change in the classpath or do i need to do
>> any
>>>> more
>>>>> changes ?
>>>>
>>>> It should be just about changing the jar.
>>>>
>>>>
>>>>> Also we are also using https for communication ? in this case what
>> all
>>>>> changes are needed ?
>>>>
>>>> Nothing, AFAICT.
>>>>
>>>>> I have seen there is a change the way we pass the SNI host name in
>>> 2.0.21
>>>>> vs 2.2.1 ?
>>>>
>>>> Hmmm, not that I remeber. Do you have any pointer?
>>>>
>>>>> First of all is it recommended to migrate from 2.0.21 to mina 2.2.1
>> ?
>>>>
>>>> Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
>>>> branch is clearly the one we maintain.
>>>>
>>>>> will the state machine work without doing any changes ?
>>>>
>>>> It should not have changed.
>>>>
>>>> Hope it helps.
>>>>
>>>>>
>>>>> Regards,
>>>>> ------------------------------------------
>>>>> M.V.S.Kishore
>>>>>
>>>>>
>>>>> On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <elecharny@gmail.com
>>>
>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Mina 2.0 branch is pretty old (5 years) and we have made significant
>>>>>> changes in the 2.1 and more important the 2.2 branches. You should
>>>>>> seriously consider migrating to 2.2. That being said:
>>>>>>
>>>>>> - 40 seconds to do whatever that was taking a few milliseconds
>> snounds
>>>>>> like a major regression, aka bug.
>>>>>> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
>>> makes
>>>>>> little sense. The CVE only impacts the HTTP decoder. In other words,
>>> if
>>>>>> it's working, don't break it...
>>>>>> - We don't have enough context to tell you what could go wrong in
>> your
>>>>>> code. If you provide some piece of code we can run, we can
>>> investigate,
>>>>>> otherwise it's like shouting in the dark... Typically, we have no
>> clue
>>>>>> about what the gpbMessageFilter does.
>>>>>>
>>>>>> On 10/04/2023 13:37, Kishore Mokkarala wrote:
>>>>>>> Hi,
>>>>>>> There was a security vulnerability in mina 2.0.21,So we were
>> migrated
>>>>>>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
>>>>>> everything
>>>>>>> looks good, but in production we are facing connection timeout
>> issue
>>>> with
>>>>>>> the mina version 2.0.23.
>>>>>>> For connection set up it was taking 10-20 milliseconds (less than a
>>>>>> second)
>>>>>>> with the old version (2.0.21).
>>>>>>> With the new version even after 40 seconds connection was timed
>> out.
>>>>>>>
>>>>>>> We use the same NioSocketConnector instance for opening 100
>>>>>>> parallel connections.
>>>>>>>
>>>>>>> *Question:*
>>>>>>> *My query is why it is taking more time more than 40 seconds for
>>>> opening
>>>>>>> the socket with the new version ?*
>>>>>>>
>>>>>>> We are not using https communication.
>>>>>>>
>>>>>>> *Could you please suggest a work around.*
>>>>>>>
>>>>>>> What's happening in the below code is mina is time out after 40
>>> seconds
>>>>>> and
>>>>>>> also IO session has been created using state machine in separate
>>>>>>> threads,both are running in two parallel threads,This issue is not
>>> seen
>>>>>>> with the mina 2.0.21 version.
>>>>>>>
>>>>>>> *Here is the code snippet.*
>>>>>>>
>>>>>>> private static final ExecutorFilter executorFilter = new
>>>>>>> ExecutorFilter(16,32);
>>>>>>>
>>>>>>> StateMachine stateMachine =
>>>>>>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
>>>>>>> G10MinaClient.CONNECTED, new
>>>> G10MinaClient(processor));
>>>>>>>
>>>>>>> IoHandler ioHandler = new
>>>>>>> StateMachineProxyBuilder().setStateContextLookup(
>>>>>>> new IoSessionStateContextLookup(new
>>>>>> StateContextFactory() {
>>>>>>> @Override
>>>>>>> public StateContext create() {
>>>>>>> final G10StateContext stateContext = new
>>>>>>> G10StateContext();
>>>>>>> stateContext.setStartedTime(new Date());
>>>>>>> return stateContext;
>>>>>>> }
>>>>>>> })).create(IoHandler.class, stateMachine);
>>>>>>>
>>>>>>> NioSocketConnector connector = new NioSocketConnector();
>>>>>>> connector.getFilterChain().addLast("LoggingFilter",
>>>>>>> G10CaptureService.loggingFilter);
>>>>>>> connector.getFilterChain().addLast("codecFilter",
>>>>>>> G10CaptureService.probeCodecFilter);
>>>>>>> connector.getFilterChain().addLast("executorFilter",
>>>>>>> G10CaptureService.executorFilter);
>>>>>>> connector.getFilterChain().addLast("gpbMessageFilter",
>>>>>>> G10CaptureService.gpbMessageFilter);
>>>>>>> connector.getFilterChain().addLast("keepAliveFilter",
>>>>>>> G10CaptureService.keepAliveFilter);
>>>>>>> connector.setHandler(ioHandler);
>>>>>>> ConnectFuture primaryConnectFuture =
>>> connector.connect(primaryAddress,
>>>>>>> initializer);
>>>>>>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
>>>>>>> //MINA_CLOSE_TIMEOUT is 40 seconds
>>>>>>> {
>>>>>>>
>>>>>>> if (handleIOException(searchExpression,
>>>>>>> captureHandler)) {
>>>>>>> return;
>>>>>>> }
>>>>>>> LOG.info("{} Apache mina connection setup
>> time
>>>> out
>>>>>>> happend.",
>>>>>>> handleConnectionFailed(primaryAddress,
>>>>>> captureHandler,
>>>>>>> "Primary IP connection timeout");
>>>>>>> return;
>>>>>>> }
>>>>>>>
>>>>>>> Regards,
>>>>>>> M.V.S.Kishore
>>>>>>> 91-9886412814
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
>>>>>> T. +33 (0)4 89 97 36 50
>>>>>> P. +33 (0)6 08 33 32 61
>>>>>> emmanuel.lecharny@busit.com https://www.busit.com/
>>>>>>
>>>>>>
>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
>>>>>> For additional commands, e-mail: users-help@mina.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
>>>> T. +33 (0)4 89 97 36 50
>>>> P. +33 (0)6 08 33 32 61
>>>> emmanuel.lecharny@busit.com https://www.busit.com/
>>>>
>>>
>>
>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
For additional commands, e-mail: users-help@mina.apache.org
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Kishore Mokkarala <ki...@gmail.com>.
Thank you all for the help.Here is my SSL implementation for making it work
with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
public class CustomSslFilter {
public CustomSslFilter(SSLContext sslContext) {
super(sslContext);
}
//Override CreateEngine
protected SSLEngine createEngine(IoSession session, InetSocketAddress
addr) {
//Add your SNI host name and port in the IOSession
SNIHostNames = (String)session.getAttribute( SNIHostNames );
PortNumber = (String)session.getAttribute( PortNumber );
InetSocketAddress peer =
InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
SSLEngine sslEngine = (addr != null) ?
sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
: sslContext.createSSLEngine();
// Always start with WANT, which will be squashed by NEED if NEED is
true.
// Actually, it makes not a lot of sense to select NEED and WANT.
NEED >> WANT...
if (wantClientAuth) {
sslEngine.setWantClientAuth(true);
}
if (needClientAuth) {
sslEngine.setNeedClientAuth(true);
}
if (enabledCipherSuites != null) {
sslEngine.setEnabledCipherSuites(enabledCipherSuites);
}
if (enabledProtocols != null) {
sslEngine.setEnabledProtocols(enabledProtocols);
}
sslEngine.setUseClientMode(!session.isServer());
return sslEngine;
}
}
IoSessionInitializer<ConnectFuture> initializer = new
IoSessionInitializer<ConnectFuture>() {
@Override
public void initializeSession(IoSession session, ConnectFuture
future) {
session.setAttribute( SNIHostNames , "example.com");
session.setAttribute( PortNumber , 8443);
}
};
try {
NioSocketConnector connector = getConnector();
ioSession = connector.connect(address,
initializer).awaitUninterruptibly().getSession();
} catch (RuntimeIoException eio) {
initializationException = eio;
}
------------------------------------------
M.V.S.Kishore
91-9886412814
On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <jo...@apache.org> wrote:
> Looking at the code for your existing filter it appears like you’re just
> trying to create the SSLEngine so it can be reused for subsequent
> connections by passing in the IP address and Port?
>
> This is already a feature in the new filter.
>
> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
>
> If you want to perform any customization during the SSL Engine setup, just
> override createEngine
>
>
> On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <ki...@gmail.com>
> wrote:
>
> > Currently we are using the following custom SSL filter for passing SNI
> host
> > name. For doing this we are using PEER_ADDRESS.
> > This was available in apache mina 2.0.21 SslHandler.java,but this
> attribute
> > is not available in 2.2.10.
> > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address
> to
> > which it connects ,but this information is needed for the destination
> > server.
> >
> > *Existing implementation : *
> >
> > SslFilter sslFilter;
> > try {
> > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> > * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
> > in overridden onPreAdd*.
> > sslFilter.setUseClientMode(true);
> > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > } catch (Exception e) {
> > e.printStackTrace();
> > LOG.error("Exception during creating SSL context..." +
> > XError.getStackTrace(e));
> > }
> > connector.setHandler(ioHandler);
> >
> > *CustomSslFilter.java:*
> >
> > public class CustomSslFilter extends SslFilter
> > {
> >
> > public CustomSslFilter(SSLContext sslContext) {
> > super(sslContext, true);
> > }
> >
> > @Override
> > public void onPreAdd(IoFilterChain parent, String name,
> > NextFilter nextFilter) throws SSLException {
> > // Check that we don't have a SSL filter already present in the
> > chain
> > if (parent.contains(SslFilter.class)) {
> > String msg = "Only one SSL filter is permitted in a chain.";
> > LOGGER.error(msg);
> > throw new IllegalStateException(msg);
> > }
> > IoSession session = parent.getSession();
> > Provider provider =
> > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> > InetSocketAddress probeAddress =
> > InetSocketAddress.createUnresolved(
> > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> > session.setAttribute(PEER_ADDRESS, probeAddress);
> > super.onPreAdd(parent, name, nextFilter);
> > }
> > }
> >
> > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
> did
> > but it is not working.Please do the needful.
> > *Question:*
> > How to pass this sni host name for creating SSLEngine?
> >
> > *Here is the new implementation changed as per new Mina 2.2.10 API:*
> > try{
> > sslContext = javax.net.ssl.SSLContext.getDefault();
> > SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> > List<SNIServerName> sniHostNames = new ArrayList<>();
> > sniHostNames.add(sniHostName);
> > SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> > sslParams.setServerNames(sniHostNames);
> > sslFilter = new SslFilter(sslContext);
> > //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
> > commented.
> > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > } catch (Exception e) {
> > e.printStackTrace();
> > LOG.error("Exception during creating SSL context..." +
> > XError.getStackTrace(e));
> > }
> > connector.setHandler(ioHandler);
> >
> > Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code
> :
> >
> > /* no qualifier */void init() throws SSLException {
> > if (sslEngine != null) {
> > // We already have a SSL engine created, no need to create a
> > new one
> > return;
> > }
> > if (LOGGER.isDebugEnabled()) {
> > LOGGER.debug("{} Initializing the SSL Handler",
> > sslFilter.getSessionInfo(session));
> > }
> > InetSocketAddress peer = (InetSocketAddress)
> > session.getAttribute(SslFilter.PEER_ADDRESS);
> > // Create the SSL engine here
> > if (peer == null) {
> > sslEngine = sslFilter.sslContext.createSSLEngine();
> > } else {
> > sslEngine =
> > sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
> > }
> > // Initialize the engine in client mode if necessary
> > sslEngine.setUseClientMode(sslFilter.isUseClientMode());
> >
> >
> > Regards,
> > ------------------------------------------
> > M.V.S.Kishore
> > 91-9886412814
> >
> >
> > On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <el...@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > > > Thanks Emmanuel for the quick response.I have few more questions on
> > the
> > > > upgrade.Please do the needful.
> > > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> > steps
> > > > do i need to follow ?
> > >
> > > There are two pages that explains the diffence between 2.0 and 2.1, and
> > > 2. and 2.2:
> > > * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> > > * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> > >
> > > The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> > > session. It's pretty trivial.
> > >
> > > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
> using
> > > startTLS.
> > >
> > > Otherwise, it's pretty straightforward.
> > >
> > > ALso note that teh SSL handler has been completeley reworked in 2.2.
> > >
> > > > Is it just a jar file change in the classpath or do i need to do
> any
> > > more
> > > > changes ?
> > >
> > > It should be just about changing the jar.
> > >
> > >
> > > > Also we are also using https for communication ? in this case what
> all
> > > > changes are needed ?
> > >
> > > Nothing, AFAICT.
> > >
> > > > I have seen there is a change the way we pass the SNI host name in
> > 2.0.21
> > > > vs 2.2.1 ?
> > >
> > > Hmmm, not that I remeber. Do you have any pointer?
> > >
> > > > First of all is it recommended to migrate from 2.0.21 to mina 2.2.1
> ?
> > >
> > > Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> > > branch is clearly the one we maintain.
> > >
> > > > will the state machine work without doing any changes ?
> > >
> > > It should not have changed.
> > >
> > > Hope it helps.
> > >
> > > >
> > > > Regards,
> > > > ------------------------------------------
> > > > M.V.S.Kishore
> > > >
> > > >
> > > > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <elecharny@gmail.com
> >
> > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Mina 2.0 branch is pretty old (5 years) and we have made significant
> > > >> changes in the 2.1 and more important the 2.2 branches. You should
> > > >> seriously consider migrating to 2.2. That being said:
> > > >>
> > > >> - 40 seconds to do whatever that was taking a few milliseconds
> snounds
> > > >> like a major regression, aka bug.
> > > >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> > makes
> > > >> little sense. The CVE only impacts the HTTP decoder. In other words,
> > if
> > > >> it's working, don't break it...
> > > >> - We don't have enough context to tell you what could go wrong in
> your
> > > >> code. If you provide some piece of code we can run, we can
> > investigate,
> > > >> otherwise it's like shouting in the dark... Typically, we have no
> clue
> > > >> about what the gpbMessageFilter does.
> > > >>
> > > >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> > > >>> Hi,
> > > >>> There was a security vulnerability in mina 2.0.21,So we were
> migrated
> > > >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> > > >> everything
> > > >>> looks good, but in production we are facing connection timeout
> issue
> > > with
> > > >>> the mina version 2.0.23.
> > > >>> For connection set up it was taking 10-20 milliseconds (less than a
> > > >> second)
> > > >>> with the old version (2.0.21).
> > > >>> With the new version even after 40 seconds connection was timed
> out.
> > > >>>
> > > >>> We use the same NioSocketConnector instance for opening 100
> > > >>> parallel connections.
> > > >>>
> > > >>> *Question:*
> > > >>> *My query is why it is taking more time more than 40 seconds for
> > > opening
> > > >>> the socket with the new version ?*
> > > >>>
> > > >>> We are not using https communication.
> > > >>>
> > > >>> *Could you please suggest a work around.*
> > > >>>
> > > >>> What's happening in the below code is mina is time out after 40
> > seconds
> > > >> and
> > > >>> also IO session has been created using state machine in separate
> > > >>> threads,both are running in two parallel threads,This issue is not
> > seen
> > > >>> with the mina 2.0.21 version.
> > > >>>
> > > >>> *Here is the code snippet.*
> > > >>>
> > > >>> private static final ExecutorFilter executorFilter = new
> > > >>> ExecutorFilter(16,32);
> > > >>>
> > > >>> StateMachine stateMachine =
> > > >>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> > > >>> G10MinaClient.CONNECTED, new
> > > G10MinaClient(processor));
> > > >>>
> > > >>> IoHandler ioHandler = new
> > > >>> StateMachineProxyBuilder().setStateContextLookup(
> > > >>> new IoSessionStateContextLookup(new
> > > >> StateContextFactory() {
> > > >>> @Override
> > > >>> public StateContext create() {
> > > >>> final G10StateContext stateContext = new
> > > >>> G10StateContext();
> > > >>> stateContext.setStartedTime(new Date());
> > > >>> return stateContext;
> > > >>> }
> > > >>> })).create(IoHandler.class, stateMachine);
> > > >>>
> > > >>> NioSocketConnector connector = new NioSocketConnector();
> > > >>> connector.getFilterChain().addLast("LoggingFilter",
> > > >>> G10CaptureService.loggingFilter);
> > > >>> connector.getFilterChain().addLast("codecFilter",
> > > >>> G10CaptureService.probeCodecFilter);
> > > >>> connector.getFilterChain().addLast("executorFilter",
> > > >>> G10CaptureService.executorFilter);
> > > >>> connector.getFilterChain().addLast("gpbMessageFilter",
> > > >>> G10CaptureService.gpbMessageFilter);
> > > >>> connector.getFilterChain().addLast("keepAliveFilter",
> > > >>> G10CaptureService.keepAliveFilter);
> > > >>> connector.setHandler(ioHandler);
> > > >>> ConnectFuture primaryConnectFuture =
> > connector.connect(primaryAddress,
> > > >>> initializer);
> > > >>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> > > >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> > > >>> {
> > > >>>
> > > >>> if (handleIOException(searchExpression,
> > > >>> captureHandler)) {
> > > >>> return;
> > > >>> }
> > > >>> LOG.info("{} Apache mina connection setup
> time
> > > out
> > > >>> happend.",
> > > >>> handleConnectionFailed(primaryAddress,
> > > >> captureHandler,
> > > >>> "Primary IP connection timeout");
> > > >>> return;
> > > >>> }
> > > >>>
> > > >>> Regards,
> > > >>> M.V.S.Kishore
> > > >>> 91-9886412814
> > > >>>
> > > >>
> > > >> --
> > > >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > >> T. +33 (0)4 89 97 36 50
> > > >> P. +33 (0)6 08 33 32 61
> > > >> emmanuel.lecharny@busit.com https://www.busit.com/
> > > >>
> > > >>
> ---------------------------------------------------------------------
> > > >> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> > > >> For additional commands, e-mail: users-help@mina.apache.org
> > > >>
> > > >>
> > > >
> > >
> > > --
> > > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > T. +33 (0)4 89 97 36 50
> > > P. +33 (0)6 08 33 32 61
> > > emmanuel.lecharny@busit.com https://www.busit.com/
> > >
> >
>
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Jonathan Valliere <jo...@apache.org>.
Looking at the code for your existing filter it appears like you’re just
trying to create the SSLEngine so it can be reused for subsequent
connections by passing in the IP address and Port?
This is already a feature in the new filter.
https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
If you want to perform any customization during the SSL Engine setup, just
override createEngine
On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <ki...@gmail.com>
wrote:
> Currently we are using the following custom SSL filter for passing SNI host
> name. For doing this we are using PEER_ADDRESS.
> This was available in apache mina 2.0.21 SslHandler.java,but this attribute
> is not available in 2.2.10.
> This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address to
> which it connects ,but this information is needed for the destination
> server.
>
> *Existing implementation : *
>
> SslFilter sslFilter;
> try {
> SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
> in overridden onPreAdd*.
> sslFilter.setUseClientMode(true);
> connector.getFilterChain().addFirst("sslFilter", sslFilter);
> } catch (Exception e) {
> e.printStackTrace();
> LOG.error("Exception during creating SSL context..." +
> XError.getStackTrace(e));
> }
> connector.setHandler(ioHandler);
>
> *CustomSslFilter.java:*
>
> public class CustomSslFilter extends SslFilter
> {
>
> public CustomSslFilter(SSLContext sslContext) {
> super(sslContext, true);
> }
>
> @Override
> public void onPreAdd(IoFilterChain parent, String name,
> NextFilter nextFilter) throws SSLException {
> // Check that we don't have a SSL filter already present in the
> chain
> if (parent.contains(SslFilter.class)) {
> String msg = "Only one SSL filter is permitted in a chain.";
> LOGGER.error(msg);
> throw new IllegalStateException(msg);
> }
> IoSession session = parent.getSession();
> Provider provider =
> (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> InetSocketAddress probeAddress =
> InetSocketAddress.createUnresolved(
> *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> session.setAttribute(PEER_ADDRESS, probeAddress);
> super.onPreAdd(parent, name, nextFilter);
> }
> }
>
> We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I did
> but it is not working.Please do the needful.
> *Question:*
> How to pass this sni host name for creating SSLEngine?
>
> *Here is the new implementation changed as per new Mina 2.2.10 API:*
> try{
> sslContext = javax.net.ssl.SSLContext.getDefault();
> SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> List<SNIServerName> sniHostNames = new ArrayList<>();
> sniHostNames.add(sniHostName);
> SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> sslParams.setServerNames(sniHostNames);
> sslFilter = new SslFilter(sslContext);
> //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
> commented.
> connector.getFilterChain().addFirst("sslFilter", sslFilter);
> } catch (Exception e) {
> e.printStackTrace();
> LOG.error("Exception during creating SSL context..." +
> XError.getStackTrace(e));
> }
> connector.setHandler(ioHandler);
>
> Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code :
>
> /* no qualifier */void init() throws SSLException {
> if (sslEngine != null) {
> // We already have a SSL engine created, no need to create a
> new one
> return;
> }
> if (LOGGER.isDebugEnabled()) {
> LOGGER.debug("{} Initializing the SSL Handler",
> sslFilter.getSessionInfo(session));
> }
> InetSocketAddress peer = (InetSocketAddress)
> session.getAttribute(SslFilter.PEER_ADDRESS);
> // Create the SSL engine here
> if (peer == null) {
> sslEngine = sslFilter.sslContext.createSSLEngine();
> } else {
> sslEngine =
> sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
> }
> // Initialize the engine in client mode if necessary
> sslEngine.setUseClientMode(sslFilter.isUseClientMode());
>
>
> Regards,
> ------------------------------------------
> M.V.S.Kishore
> 91-9886412814
>
>
> On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <el...@gmail.com>
> wrote:
>
> > Hi,
> >
> > On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > > Thanks Emmanuel for the quick response.I have few more questions on
> the
> > > upgrade.Please do the needful.
> > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> steps
> > > do i need to follow ?
> >
> > There are two pages that explains the diffence between 2.0 and 2.1, and
> > 2. and 2.2:
> > * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> > * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> >
> > The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> > session. It's pretty trivial.
> >
> > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were using
> > startTLS.
> >
> > Otherwise, it's pretty straightforward.
> >
> > ALso note that teh SSL handler has been completeley reworked in 2.2.
> >
> > > Is it just a jar file change in the classpath or do i need to do any
> > more
> > > changes ?
> >
> > It should be just about changing the jar.
> >
> >
> > > Also we are also using https for communication ? in this case what all
> > > changes are needed ?
> >
> > Nothing, AFAICT.
> >
> > > I have seen there is a change the way we pass the SNI host name in
> 2.0.21
> > > vs 2.2.1 ?
> >
> > Hmmm, not that I remeber. Do you have any pointer?
> >
> > > First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ?
> >
> > Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> > branch is clearly the one we maintain.
> >
> > > will the state machine work without doing any changes ?
> >
> > It should not have changed.
> >
> > Hope it helps.
> >
> > >
> > > Regards,
> > > ------------------------------------------
> > > M.V.S.Kishore
> > >
> > >
> > > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <el...@gmail.com>
> > wrote:
> > >
> > >> Hi,
> > >>
> > >> Mina 2.0 branch is pretty old (5 years) and we have made significant
> > >> changes in the 2.1 and more important the 2.2 branches. You should
> > >> seriously consider migrating to 2.2. That being said:
> > >>
> > >> - 40 seconds to do whatever that was taking a few milliseconds snounds
> > >> like a major regression, aka bug.
> > >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> makes
> > >> little sense. The CVE only impacts the HTTP decoder. In other words,
> if
> > >> it's working, don't break it...
> > >> - We don't have enough context to tell you what could go wrong in your
> > >> code. If you provide some piece of code we can run, we can
> investigate,
> > >> otherwise it's like shouting in the dark... Typically, we have no clue
> > >> about what the gpbMessageFilter does.
> > >>
> > >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> > >>> Hi,
> > >>> There was a security vulnerability in mina 2.0.21,So we were migrated
> > >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> > >> everything
> > >>> looks good, but in production we are facing connection timeout issue
> > with
> > >>> the mina version 2.0.23.
> > >>> For connection set up it was taking 10-20 milliseconds (less than a
> > >> second)
> > >>> with the old version (2.0.21).
> > >>> With the new version even after 40 seconds connection was timed out.
> > >>>
> > >>> We use the same NioSocketConnector instance for opening 100
> > >>> parallel connections.
> > >>>
> > >>> *Question:*
> > >>> *My query is why it is taking more time more than 40 seconds for
> > opening
> > >>> the socket with the new version ?*
> > >>>
> > >>> We are not using https communication.
> > >>>
> > >>> *Could you please suggest a work around.*
> > >>>
> > >>> What's happening in the below code is mina is time out after 40
> seconds
> > >> and
> > >>> also IO session has been created using state machine in separate
> > >>> threads,both are running in two parallel threads,This issue is not
> seen
> > >>> with the mina 2.0.21 version.
> > >>>
> > >>> *Here is the code snippet.*
> > >>>
> > >>> private static final ExecutorFilter executorFilter = new
> > >>> ExecutorFilter(16,32);
> > >>>
> > >>> StateMachine stateMachine =
> > >>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> > >>> G10MinaClient.CONNECTED, new
> > G10MinaClient(processor));
> > >>>
> > >>> IoHandler ioHandler = new
> > >>> StateMachineProxyBuilder().setStateContextLookup(
> > >>> new IoSessionStateContextLookup(new
> > >> StateContextFactory() {
> > >>> @Override
> > >>> public StateContext create() {
> > >>> final G10StateContext stateContext = new
> > >>> G10StateContext();
> > >>> stateContext.setStartedTime(new Date());
> > >>> return stateContext;
> > >>> }
> > >>> })).create(IoHandler.class, stateMachine);
> > >>>
> > >>> NioSocketConnector connector = new NioSocketConnector();
> > >>> connector.getFilterChain().addLast("LoggingFilter",
> > >>> G10CaptureService.loggingFilter);
> > >>> connector.getFilterChain().addLast("codecFilter",
> > >>> G10CaptureService.probeCodecFilter);
> > >>> connector.getFilterChain().addLast("executorFilter",
> > >>> G10CaptureService.executorFilter);
> > >>> connector.getFilterChain().addLast("gpbMessageFilter",
> > >>> G10CaptureService.gpbMessageFilter);
> > >>> connector.getFilterChain().addLast("keepAliveFilter",
> > >>> G10CaptureService.keepAliveFilter);
> > >>> connector.setHandler(ioHandler);
> > >>> ConnectFuture primaryConnectFuture =
> connector.connect(primaryAddress,
> > >>> initializer);
> > >>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> > >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> > >>> {
> > >>>
> > >>> if (handleIOException(searchExpression,
> > >>> captureHandler)) {
> > >>> return;
> > >>> }
> > >>> LOG.info("{} Apache mina connection setup time
> > out
> > >>> happend.",
> > >>> handleConnectionFailed(primaryAddress,
> > >> captureHandler,
> > >>> "Primary IP connection timeout");
> > >>> return;
> > >>> }
> > >>>
> > >>> Regards,
> > >>> M.V.S.Kishore
> > >>> 91-9886412814
> > >>>
> > >>
> > >> --
> > >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > >> T. +33 (0)4 89 97 36 50
> > >> P. +33 (0)6 08 33 32 61
> > >> emmanuel.lecharny@busit.com https://www.busit.com/
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> > >> For additional commands, e-mail: users-help@mina.apache.org
> > >>
> > >>
> > >
> >
> > --
> > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > T. +33 (0)4 89 97 36 50
> > P. +33 (0)6 08 33 32 61
> > emmanuel.lecharny@busit.com https://www.busit.com/
> >
>
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Kishore Mokkarala <ki...@gmail.com>.
Currently we are using the following custom SSL filter for passing SNI host
name. For doing this we are using PEER_ADDRESS.
This was available in apache mina 2.0.21 SslHandler.java,but this attribute
is not available in 2.2.10.
This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address to
which it connects ,but this information is needed for the destination
server.
*Existing implementation : *
SslFilter sslFilter;
try {
SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
* sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
in overridden onPreAdd*.
sslFilter.setUseClientMode(true);
connector.getFilterChain().addFirst("sslFilter", sslFilter);
} catch (Exception e) {
e.printStackTrace();
LOG.error("Exception during creating SSL context..." +
XError.getStackTrace(e));
}
connector.setHandler(ioHandler);
*CustomSslFilter.java:*
public class CustomSslFilter extends SslFilter
{
public CustomSslFilter(SSLContext sslContext) {
super(sslContext, true);
}
@Override
public void onPreAdd(IoFilterChain parent, String name,
NextFilter nextFilter) throws SSLException {
// Check that we don't have a SSL filter already present in the
chain
if (parent.contains(SslFilter.class)) {
String msg = "Only one SSL filter is permitted in a chain.";
LOGGER.error(msg);
throw new IllegalStateException(msg);
}
IoSession session = parent.getSession();
Provider provider =
(Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
InetSocketAddress probeAddress = InetSocketAddress.createUnresolved(
*eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
session.setAttribute(PEER_ADDRESS, probeAddress);
super.onPreAdd(parent, name, nextFilter);
}
}
We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I did
but it is not working.Please do the needful.
*Question:*
How to pass this sni host name for creating SSLEngine?
*Here is the new implementation changed as per new Mina 2.2.10 API:*
try{
sslContext = javax.net.ssl.SSLContext.getDefault();
SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
List<SNIServerName> sniHostNames = new ArrayList<>();
sniHostNames.add(sniHostName);
SSLParameters sslParams = sslContext.getDefaultSSLParameters();
sslParams.setServerNames(sniHostNames);
sslFilter = new SslFilter(sslContext);
//sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
commented.
connector.getFilterChain().addFirst("sslFilter", sslFilter);
} catch (Exception e) {
e.printStackTrace();
LOG.error("Exception during creating SSL context..." +
XError.getStackTrace(e));
}
connector.setHandler(ioHandler);
Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code :
/* no qualifier */void init() throws SSLException {
if (sslEngine != null) {
// We already have a SSL engine created, no need to create a
new one
return;
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("{} Initializing the SSL Handler",
sslFilter.getSessionInfo(session));
}
InetSocketAddress peer = (InetSocketAddress)
session.getAttribute(SslFilter.PEER_ADDRESS);
// Create the SSL engine here
if (peer == null) {
sslEngine = sslFilter.sslContext.createSSLEngine();
} else {
sslEngine =
sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
}
// Initialize the engine in client mode if necessary
sslEngine.setUseClientMode(sslFilter.isUseClientMode());
Regards,
------------------------------------------
M.V.S.Kishore
91-9886412814
On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <el...@gmail.com> wrote:
> Hi,
>
> On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > Thanks Emmanuel for the quick response.I have few more questions on the
> > upgrade.Please do the needful.
> > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps
> > do i need to follow ?
>
> There are two pages that explains the diffence between 2.0 and 2.1, and
> 2. and 2.2:
> * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> * https://mina.apache.org/mina-project/2.2-vs-2.1.html
>
> The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> session. It's pretty trivial.
>
> The 2.2. vs 2.1 migration is a bit more complicated, *if* you were using
> startTLS.
>
> Otherwise, it's pretty straightforward.
>
> ALso note that teh SSL handler has been completeley reworked in 2.2.
>
> > Is it just a jar file change in the classpath or do i need to do any
> more
> > changes ?
>
> It should be just about changing the jar.
>
>
> > Also we are also using https for communication ? in this case what all
> > changes are needed ?
>
> Nothing, AFAICT.
>
> > I have seen there is a change the way we pass the SNI host name in 2.0.21
> > vs 2.2.1 ?
>
> Hmmm, not that I remeber. Do you have any pointer?
>
> > First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ?
>
> Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> branch is clearly the one we maintain.
>
> > will the state machine work without doing any changes ?
>
> It should not have changed.
>
> Hope it helps.
>
> >
> > Regards,
> > ------------------------------------------
> > M.V.S.Kishore
> >
> >
> > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <el...@gmail.com>
> wrote:
> >
> >> Hi,
> >>
> >> Mina 2.0 branch is pretty old (5 years) and we have made significant
> >> changes in the 2.1 and more important the 2.2 branches. You should
> >> seriously consider migrating to 2.2. That being said:
> >>
> >> - 40 seconds to do whatever that was taking a few milliseconds snounds
> >> like a major regression, aka bug.
> >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes
> >> little sense. The CVE only impacts the HTTP decoder. In other words, if
> >> it's working, don't break it...
> >> - We don't have enough context to tell you what could go wrong in your
> >> code. If you provide some piece of code we can run, we can investigate,
> >> otherwise it's like shouting in the dark... Typically, we have no clue
> >> about what the gpbMessageFilter does.
> >>
> >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> >>> Hi,
> >>> There was a security vulnerability in mina 2.0.21,So we were migrated
> >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> >> everything
> >>> looks good, but in production we are facing connection timeout issue
> with
> >>> the mina version 2.0.23.
> >>> For connection set up it was taking 10-20 milliseconds (less than a
> >> second)
> >>> with the old version (2.0.21).
> >>> With the new version even after 40 seconds connection was timed out.
> >>>
> >>> We use the same NioSocketConnector instance for opening 100
> >>> parallel connections.
> >>>
> >>> *Question:*
> >>> *My query is why it is taking more time more than 40 seconds for
> opening
> >>> the socket with the new version ?*
> >>>
> >>> We are not using https communication.
> >>>
> >>> *Could you please suggest a work around.*
> >>>
> >>> What's happening in the below code is mina is time out after 40 seconds
> >> and
> >>> also IO session has been created using state machine in separate
> >>> threads,both are running in two parallel threads,This issue is not seen
> >>> with the mina 2.0.21 version.
> >>>
> >>> *Here is the code snippet.*
> >>>
> >>> private static final ExecutorFilter executorFilter = new
> >>> ExecutorFilter(16,32);
> >>>
> >>> StateMachine stateMachine =
> >>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> >>> G10MinaClient.CONNECTED, new
> G10MinaClient(processor));
> >>>
> >>> IoHandler ioHandler = new
> >>> StateMachineProxyBuilder().setStateContextLookup(
> >>> new IoSessionStateContextLookup(new
> >> StateContextFactory() {
> >>> @Override
> >>> public StateContext create() {
> >>> final G10StateContext stateContext = new
> >>> G10StateContext();
> >>> stateContext.setStartedTime(new Date());
> >>> return stateContext;
> >>> }
> >>> })).create(IoHandler.class, stateMachine);
> >>>
> >>> NioSocketConnector connector = new NioSocketConnector();
> >>> connector.getFilterChain().addLast("LoggingFilter",
> >>> G10CaptureService.loggingFilter);
> >>> connector.getFilterChain().addLast("codecFilter",
> >>> G10CaptureService.probeCodecFilter);
> >>> connector.getFilterChain().addLast("executorFilter",
> >>> G10CaptureService.executorFilter);
> >>> connector.getFilterChain().addLast("gpbMessageFilter",
> >>> G10CaptureService.gpbMessageFilter);
> >>> connector.getFilterChain().addLast("keepAliveFilter",
> >>> G10CaptureService.keepAliveFilter);
> >>> connector.setHandler(ioHandler);
> >>> ConnectFuture primaryConnectFuture = connector.connect(primaryAddress,
> >>> initializer);
> >>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> >>> {
> >>>
> >>> if (handleIOException(searchExpression,
> >>> captureHandler)) {
> >>> return;
> >>> }
> >>> LOG.info("{} Apache mina connection setup time
> out
> >>> happend.",
> >>> handleConnectionFailed(primaryAddress,
> >> captureHandler,
> >>> "Primary IP connection timeout");
> >>> return;
> >>> }
> >>>
> >>> Regards,
> >>> M.V.S.Kishore
> >>> 91-9886412814
> >>>
> >>
> >> --
> >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> >> T. +33 (0)4 89 97 36 50
> >> P. +33 (0)6 08 33 32 61
> >> emmanuel.lecharny@busit.com https://www.busit.com/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> >> For additional commands, e-mail: users-help@mina.apache.org
> >>
> >>
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecharny@busit.com https://www.busit.com/
>
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi,
On 12/04/2023 18:00, Kishore Mokkarala wrote:
> Thanks Emmanuel for the quick response.I have few more questions on the
> upgrade.Please do the needful.
> If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps
> do i need to follow ?
There are two pages that explains the diffence between 2.0 and 2.1, and
2. and 2.2:
* https://mina.apache.org/mina-project/2.1-vs-2.0.html
* https://mina.apache.org/mina-project/2.2-vs-2.1.html
The 2.1 vs 2.0 difference is mainly about the way we detect a secured
session. It's pretty trivial.
The 2.2. vs 2.1 migration is a bit more complicated, *if* you were using
startTLS.
Otherwise, it's pretty straightforward.
ALso note that teh SSL handler has been completeley reworked in 2.2.
> Is it just a jar file change in the classpath or do i need to do any more
> changes ?
It should be just about changing the jar.
> Also we are also using https for communication ? in this case what all
> changes are needed ?
Nothing, AFAICT.
> I have seen there is a change the way we pass the SNI host name in 2.0.21
> vs 2.2.1 ?
Hmmm, not that I remeber. Do you have any pointer?
> First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ?
Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
branch is clearly the one we maintain.
> will the state machine work without doing any changes ?
It should not have changed.
Hope it helps.
>
> Regards,
> ------------------------------------------
> M.V.S.Kishore
>
>
> On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <el...@gmail.com> wrote:
>
>> Hi,
>>
>> Mina 2.0 branch is pretty old (5 years) and we have made significant
>> changes in the 2.1 and more important the 2.2 branches. You should
>> seriously consider migrating to 2.2. That being said:
>>
>> - 40 seconds to do whatever that was taking a few milliseconds snounds
>> like a major regression, aka bug.
>> - If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes
>> little sense. The CVE only impacts the HTTP decoder. In other words, if
>> it's working, don't break it...
>> - We don't have enough context to tell you what could go wrong in your
>> code. If you provide some piece of code we can run, we can investigate,
>> otherwise it's like shouting in the dark... Typically, we have no clue
>> about what the gpbMessageFilter does.
>>
>> On 10/04/2023 13:37, Kishore Mokkarala wrote:
>>> Hi,
>>> There was a security vulnerability in mina 2.0.21,So we were migrated
>>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
>> everything
>>> looks good, but in production we are facing connection timeout issue with
>>> the mina version 2.0.23.
>>> For connection set up it was taking 10-20 milliseconds (less than a
>> second)
>>> with the old version (2.0.21).
>>> With the new version even after 40 seconds connection was timed out.
>>>
>>> We use the same NioSocketConnector instance for opening 100
>>> parallel connections.
>>>
>>> *Question:*
>>> *My query is why it is taking more time more than 40 seconds for opening
>>> the socket with the new version ?*
>>>
>>> We are not using https communication.
>>>
>>> *Could you please suggest a work around.*
>>>
>>> What's happening in the below code is mina is time out after 40 seconds
>> and
>>> also IO session has been created using state machine in separate
>>> threads,both are running in two parallel threads,This issue is not seen
>>> with the mina 2.0.21 version.
>>>
>>> *Here is the code snippet.*
>>>
>>> private static final ExecutorFilter executorFilter = new
>>> ExecutorFilter(16,32);
>>>
>>> StateMachine stateMachine =
>>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
>>> G10MinaClient.CONNECTED, new G10MinaClient(processor));
>>>
>>> IoHandler ioHandler = new
>>> StateMachineProxyBuilder().setStateContextLookup(
>>> new IoSessionStateContextLookup(new
>> StateContextFactory() {
>>> @Override
>>> public StateContext create() {
>>> final G10StateContext stateContext = new
>>> G10StateContext();
>>> stateContext.setStartedTime(new Date());
>>> return stateContext;
>>> }
>>> })).create(IoHandler.class, stateMachine);
>>>
>>> NioSocketConnector connector = new NioSocketConnector();
>>> connector.getFilterChain().addLast("LoggingFilter",
>>> G10CaptureService.loggingFilter);
>>> connector.getFilterChain().addLast("codecFilter",
>>> G10CaptureService.probeCodecFilter);
>>> connector.getFilterChain().addLast("executorFilter",
>>> G10CaptureService.executorFilter);
>>> connector.getFilterChain().addLast("gpbMessageFilter",
>>> G10CaptureService.gpbMessageFilter);
>>> connector.getFilterChain().addLast("keepAliveFilter",
>>> G10CaptureService.keepAliveFilter);
>>> connector.setHandler(ioHandler);
>>> ConnectFuture primaryConnectFuture = connector.connect(primaryAddress,
>>> initializer);
>>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
>>> //MINA_CLOSE_TIMEOUT is 40 seconds
>>> {
>>>
>>> if (handleIOException(searchExpression,
>>> captureHandler)) {
>>> return;
>>> }
>>> LOG.info("{} Apache mina connection setup time out
>>> happend.",
>>> handleConnectionFailed(primaryAddress,
>> captureHandler,
>>> "Primary IP connection timeout");
>>> return;
>>> }
>>>
>>> Regards,
>>> M.V.S.Kishore
>>> 91-9886412814
>>>
>>
>> --
>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
>> T. +33 (0)4 89 97 36 50
>> P. +33 (0)6 08 33 32 61
>> emmanuel.lecharny@busit.com https://www.busit.com/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
>> For additional commands, e-mail: users-help@mina.apache.org
>>
>>
>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
For additional commands, e-mail: users-help@mina.apache.org
Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Kishore Mokkarala <ki...@gmail.com>.
Thanks Emmanuel for the quick response.I have few more questions on the
upgrade.Please do the needful.
If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps
do i need to follow ?
Is it just a jar file change in the classpath or do i need to do any more
changes ?
Also we are also using https for communication ? in this case what all
changes are needed ?
I have seen there is a change the way we pass the SNI host name in 2.0.21
vs 2.2.1 ?
First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ?
will the state machine work without doing any changes ?
Regards,
------------------------------------------
M.V.S.Kishore
On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <el...@gmail.com> wrote:
> Hi,
>
> Mina 2.0 branch is pretty old (5 years) and we have made significant
> changes in the 2.1 and more important the 2.2 branches. You should
> seriously consider migrating to 2.2. That being said:
>
> - 40 seconds to do whatever that was taking a few milliseconds snounds
> like a major regression, aka bug.
> - If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes
> little sense. The CVE only impacts the HTTP decoder. In other words, if
> it's working, don't break it...
> - We don't have enough context to tell you what could go wrong in your
> code. If you provide some piece of code we can run, we can investigate,
> otherwise it's like shouting in the dark... Typically, we have no clue
> about what the gpbMessageFilter does.
>
> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> > Hi,
> > There was a security vulnerability in mina 2.0.21,So we were migrated
> > from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> everything
> > looks good, but in production we are facing connection timeout issue with
> > the mina version 2.0.23.
> > For connection set up it was taking 10-20 milliseconds (less than a
> second)
> > with the old version (2.0.21).
> > With the new version even after 40 seconds connection was timed out.
> >
> > We use the same NioSocketConnector instance for opening 100
> > parallel connections.
> >
> > *Question:*
> > *My query is why it is taking more time more than 40 seconds for opening
> > the socket with the new version ?*
> >
> > We are not using https communication.
> >
> > *Could you please suggest a work around.*
> >
> > What's happening in the below code is mina is time out after 40 seconds
> and
> > also IO session has been created using state machine in separate
> > threads,both are running in two parallel threads,This issue is not seen
> > with the mina 2.0.21 version.
> >
> > *Here is the code snippet.*
> >
> > private static final ExecutorFilter executorFilter = new
> > ExecutorFilter(16,32);
> >
> > StateMachine stateMachine =
> > StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> > G10MinaClient.CONNECTED, new G10MinaClient(processor));
> >
> > IoHandler ioHandler = new
> > StateMachineProxyBuilder().setStateContextLookup(
> > new IoSessionStateContextLookup(new
> StateContextFactory() {
> > @Override
> > public StateContext create() {
> > final G10StateContext stateContext = new
> > G10StateContext();
> > stateContext.setStartedTime(new Date());
> > return stateContext;
> > }
> > })).create(IoHandler.class, stateMachine);
> >
> > NioSocketConnector connector = new NioSocketConnector();
> > connector.getFilterChain().addLast("LoggingFilter",
> > G10CaptureService.loggingFilter);
> > connector.getFilterChain().addLast("codecFilter",
> > G10CaptureService.probeCodecFilter);
> > connector.getFilterChain().addLast("executorFilter",
> > G10CaptureService.executorFilter);
> > connector.getFilterChain().addLast("gpbMessageFilter",
> > G10CaptureService.gpbMessageFilter);
> > connector.getFilterChain().addLast("keepAliveFilter",
> > G10CaptureService.keepAliveFilter);
> > connector.setHandler(ioHandler);
> > ConnectFuture primaryConnectFuture = connector.connect(primaryAddress,
> > initializer);
> > if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> > //MINA_CLOSE_TIMEOUT is 40 seconds
> > {
> >
> > if (handleIOException(searchExpression,
> > captureHandler)) {
> > return;
> > }
> > LOG.info("{} Apache mina connection setup time out
> > happend.",
> > handleConnectionFailed(primaryAddress,
> captureHandler,
> > "Primary IP connection timeout");
> > return;
> > }
> >
> > Regards,
> > M.V.S.Kishore
> > 91-9886412814
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecharny@busit.com https://www.busit.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
> For additional commands, e-mail: users-help@mina.apache.org
>
>
Re: migration from apache mina 2.0.21 to 2.0.23 issue
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi,
Mina 2.0 branch is pretty old (5 years) and we have made significant
changes in the 2.1 and more important the 2.2 branches. You should
seriously consider migrating to 2.2. That being said:
- 40 seconds to do whatever that was taking a few milliseconds snounds
like a major regression, aka bug.
- If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes
little sense. The CVE only impacts the HTTP decoder. In other words, if
it's working, don't break it...
- We don't have enough context to tell you what could go wrong in your
code. If you provide some piece of code we can run, we can investigate,
otherwise it's like shouting in the dark... Typically, we have no clue
about what the gpbMessageFilter does.
On 10/04/2023 13:37, Kishore Mokkarala wrote:
> Hi,
> There was a security vulnerability in mina 2.0.21,So we were migrated
> from apache mina 2.0.21 to 2.0.23,locally in the dev environment everything
> looks good, but in production we are facing connection timeout issue with
> the mina version 2.0.23.
> For connection set up it was taking 10-20 milliseconds (less than a second)
> with the old version (2.0.21).
> With the new version even after 40 seconds connection was timed out.
>
> We use the same NioSocketConnector instance for opening 100
> parallel connections.
>
> *Question:*
> *My query is why it is taking more time more than 40 seconds for opening
> the socket with the new version ?*
>
> We are not using https communication.
>
> *Could you please suggest a work around.*
>
> What's happening in the below code is mina is time out after 40 seconds and
> also IO session has been created using state machine in separate
> threads,both are running in two parallel threads,This issue is not seen
> with the mina 2.0.21 version.
>
> *Here is the code snippet.*
>
> private static final ExecutorFilter executorFilter = new
> ExecutorFilter(16,32);
>
> StateMachine stateMachine =
> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> G10MinaClient.CONNECTED, new G10MinaClient(processor));
>
> IoHandler ioHandler = new
> StateMachineProxyBuilder().setStateContextLookup(
> new IoSessionStateContextLookup(new StateContextFactory() {
> @Override
> public StateContext create() {
> final G10StateContext stateContext = new
> G10StateContext();
> stateContext.setStartedTime(new Date());
> return stateContext;
> }
> })).create(IoHandler.class, stateMachine);
>
> NioSocketConnector connector = new NioSocketConnector();
> connector.getFilterChain().addLast("LoggingFilter",
> G10CaptureService.loggingFilter);
> connector.getFilterChain().addLast("codecFilter",
> G10CaptureService.probeCodecFilter);
> connector.getFilterChain().addLast("executorFilter",
> G10CaptureService.executorFilter);
> connector.getFilterChain().addLast("gpbMessageFilter",
> G10CaptureService.gpbMessageFilter);
> connector.getFilterChain().addLast("keepAliveFilter",
> G10CaptureService.keepAliveFilter);
> connector.setHandler(ioHandler);
> ConnectFuture primaryConnectFuture = connector.connect(primaryAddress,
> initializer);
> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> //MINA_CLOSE_TIMEOUT is 40 seconds
> {
>
> if (handleIOException(searchExpression,
> captureHandler)) {
> return;
> }
> LOG.info("{} Apache mina connection setup time out
> happend.",
> handleConnectionFailed(primaryAddress, captureHandler,
> "Primary IP connection timeout");
> return;
> }
>
> Regards,
> M.V.S.Kishore
> 91-9886412814
>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@mina.apache.org
For additional commands, e-mail: users-help@mina.apache.org