SSLHandler and handshake alerts swallowed?

[Raman Gupta <ro...@fastmail.fm>]

I am using MINA with the SSLHandler in client mode (among other 
things) on the Sun JVM 1.5.0_12. MINA version is 1.1.0, except the 
mina-filter-ssl module is compiled from 
https://svn.apache.org/repos/asf/mina/branches/1.1@554788 which 
includes a couple of ordering/handshake fixes for SSLFilter that are 
not included in 1.1.0.

I have encountered a situation a few times now in production where the 
handshake does not complete. An alert message is sent by the server 
during the handshaking process, but this does not raise any errors or 
exceptions from MINA. All subsequent outgoing traffic is simply 
buffered by MINA due to what MINA thinks is an incomplete handshake.

Unfortunately, I don't have debug logs of this event, however I do 
have a summarized TCP/IP trace (summary at [1], details at [2]). xxx 
in the trace is my MINA app (the client) and yyy is the server.

[1] 
http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-summary.txt
[2] 
http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-details.txt 


Note that the server sends an alert at frame 487380. I don't know what 
this alert was (since it was encrypted) but I do know that no 
SSLException was thrown by MINA (or perhaps the JVM) as I would have 
expected. In addition, the subsequent connection close by the server 
is ignored by MINA as well -- no sessionClosed event was generated on 
my IoHandler. As far as my app was concerned the connection was still 
open but the handshake was incomplete.

I am currently trying to capture debug logs for this event, but I need 
to wait until this problem occurs again (it happens only rarely). In 
the meantime, are there any SSL gurus out there that have any ideas?

Cheers,
Raman Gupta

Re: SSLHandler and handshake alerts swallowed?

[Trustin Lee <tr...@gmail.com>]

On 10/19/07, Raman Gupta <ro...@fastmail.fm> wrote:
> I am using MINA with the SSLHandler in client mode (among other
> things) on the Sun JVM 1.5.0_12. MINA version is 1.1.0, except the
> mina-filter-ssl module is compiled from
> https://svn.apache.org/repos/asf/mina/branches/1.1@554788 which
> includes a couple of ordering/handshake fixes for SSLFilter that are
> not included in 1.1.0.
>
> I have encountered a situation a few times now in production where the
> handshake does not complete. An alert message is sent by the server
> during the handshaking process, but this does not raise any errors or
> exceptions from MINA. All subsequent outgoing traffic is simply
> buffered by MINA due to what MINA thinks is an incomplete handshake.
>
> Unfortunately, I don't have debug logs of this event, however I do
> have a summarized TCP/IP trace (summary at [1], details at [2]). xxx
> in the trace is my MINA app (the client) and yyy is the server.
>
> [1]
> http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-summary.txt
> [2]
> http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-details.txt
>
>
> Note that the server sends an alert at frame 487380. I don't know what
> this alert was (since it was encrypted) but I do know that no
> SSLException was thrown by MINA (or perhaps the JVM) as I would have
> expected. In addition, the subsequent connection close by the server
> is ignored by MINA as well -- no sessionClosed event was generated on
> my IoHandler. As far as my app was concerned the connection was still
> open but the handshake was incomplete.
>
> I am currently trying to capture debug logs for this event, but I need
> to wait until this problem occurs again (it happens only rarely). In
> the meantime, are there any SSL gurus out there that have any ideas?

What version of mina-filter-ssl.jar are you using?  Please try to
upgrade to mina-filter-ssl-1.1.2 or 1.1.3.jar.

HTH,
Trustin
-- 
what we call human nature is actually human habit
--
http://gleamynode.net/
--
PGP Key ID: 0x0255ECA6