You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Raman Gupta <ro...@fastmail.fm> on 2007/10/19 00:07:15 UTC
SSLHandler and handshake alerts swallowed?
I am using MINA with the SSLHandler in client mode (among other
things) on the Sun JVM 1.5.0_12. MINA version is 1.1.0, except the
mina-filter-ssl module is compiled from
https://svn.apache.org/repos/asf/mina/branches/1.1@554788 which
includes a couple of ordering/handshake fixes for SSLFilter that are
not included in 1.1.0.
I have encountered a situation a few times now in production where the
handshake does not complete. An alert message is sent by the server
during the handshaking process, but this does not raise any errors or
exceptions from MINA. All subsequent outgoing traffic is simply
buffered by MINA due to what MINA thinks is an incomplete handshake.
Unfortunately, I don't have debug logs of this event, however I do
have a summarized TCP/IP trace (summary at [1], details at [2]). xxx
in the trace is my MINA app (the client) and yyy is the server.
[1]
http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-summary.txt
[2]
http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-details.txt
Note that the server sends an alert at frame 487380. I don't know what
this alert was (since it was encrypted) but I do know that no
SSLException was thrown by MINA (or perhaps the JVM) as I would have
expected. In addition, the subsequent connection close by the server
is ignored by MINA as well -- no sessionClosed event was generated on
my IoHandler. As far as my app was concerned the connection was still
open but the handshake was incomplete.
I am currently trying to capture debug logs for this event, but I need
to wait until this problem occurs again (it happens only rarely). In
the meantime, are there any SSL gurus out there that have any ideas?
Cheers,
Raman Gupta
Re: SSLHandler and handshake alerts swallowed?
Posted by Trustin Lee <tr...@gmail.com>.
On 10/19/07, Raman Gupta <ro...@fastmail.fm> wrote:
> I am using MINA with the SSLHandler in client mode (among other
> things) on the Sun JVM 1.5.0_12. MINA version is 1.1.0, except the
> mina-filter-ssl module is compiled from
> https://svn.apache.org/repos/asf/mina/branches/1.1@554788 which
> includes a couple of ordering/handshake fixes for SSLFilter that are
> not included in 1.1.0.
>
> I have encountered a situation a few times now in production where the
> handshake does not complete. An alert message is sent by the server
> during the handshaking process, but this does not raise any errors or
> exceptions from MINA. All subsequent outgoing traffic is simply
> buffered by MINA due to what MINA thinks is an incomplete handshake.
>
> Unfortunately, I don't have debug logs of this event, however I do
> have a summarized TCP/IP trace (summary at [1], details at [2]). xxx
> in the trace is my MINA app (the client) and yyy is the server.
>
> [1]
> http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-summary.txt
> [2]
> http://ca.geocities.com/rocketraman@rogers.com/ssl/ssl-failure-trace-details.txt
>
>
> Note that the server sends an alert at frame 487380. I don't know what
> this alert was (since it was encrypted) but I do know that no
> SSLException was thrown by MINA (or perhaps the JVM) as I would have
> expected. In addition, the subsequent connection close by the server
> is ignored by MINA as well -- no sessionClosed event was generated on
> my IoHandler. As far as my app was concerned the connection was still
> open but the handshake was incomplete.
>
> I am currently trying to capture debug logs for this event, but I need
> to wait until this problem occurs again (it happens only rarely). In
> the meantime, are there any SSL gurus out there that have any ideas?
What version of mina-filter-ssl.jar are you using? Please try to
upgrade to mina-filter-ssl-1.1.2 or 1.1.3.jar.
HTH,
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
--
PGP Key ID: 0x0255ECA6