You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Christoph John (JIRA)" <ji...@apache.org> on 2017/10/07 23:36:02 UTC
[jira] [Comment Edited] (DIRMINA-1072) SslFilter does not account
for SSLEngine runtime exceptions
[ https://issues.apache.org/jira/browse/DIRMINA-1072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16195939#comment-16195939 ]
Christoph John edited comment on DIRMINA-1072 at 10/7/17 11:35 PM:
-------------------------------------------------------------------
I assume the "Fix Version" is 2.0.17 then? Any plans on when this is going to be released?
Thanks in advance
was (Author: chrjohn):
I assume the "Fix Version" is 2.0.17 then? Any plans on when this going to be released?
Thanks in advance
> SslFilter does not account for SSLEngine runtime exceptions
> -----------------------------------------------------------
>
> Key: DIRMINA-1072
> URL: https://issues.apache.org/jira/browse/DIRMINA-1072
> Project: MINA
> Issue Type: Bug
> Components: SSL
> Affects Versions: 2.0.16
> Reporter: Guus der Kinderen
> Attachments: sslengine-exception.patch, sslengine-exception-with-destroy.patch
>
>
> Mina's {{SslFilter}} wraps Mina's {{SslHandler}}, which itself wraps Java's {{SSLEngine}}.
> {{SslFilter}} does not catch runtime exceptions that are thrown by {{SSLEngine}} - I am unsure if this is by design.
> Ideally, we'd prevent the engine to get into a state where it can throw such exceptions, but I'm not sure if that's completely feasible.
> None-the-less, I'm here providing an improvement that prevents at least one occurrence of an unchecked exception from being thrown (instead, my patch preemptively throws an {{SSLException}} that is then caught by the exception handling that's already in place).
> An alternative to this fix could be an additional catch block, that handles unchecked exceptions.
> The scenario that is causing the unchecked exception that is caught by this patch, is this:
> * client connects, causes an SslFilter to be initialized, which causes the SSLEngine to begin its handshake
> * server shuts down the input (for instance, for inactivity, or as a side-effect of resource starvation)
> * client sends data
> The corresponding stack trace starts with this:
> {code}java.lang.IllegalStateException: Internal error
> at sun.security.ssl.SSLEngineImpl.initHandshaker(SSLEngineImpl.java:470)
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1007)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624){code}
> Inspiration for this fix was obtain from the Jetty project, notably, this change: https://github.com/eclipse/jetty.project/issues/1228
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)