You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2022/04/12 02:07:00 UTC
[jira] [Commented] (JAMES-3741) SSL: sporadic failure of new connection failure under load in 3.7.x
[ https://issues.apache.org/jira/browse/JAMES-3741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17520884#comment-17520884 ]
Benoit Tellier commented on JAMES-3741:
---------------------------------------
Non regression test merged for 3.8.0.
The issue remains unsolved for 3.7.x and earlier releases.
> SSL: sporadic failure of new connection failure under load in 3.7.x
> -------------------------------------------------------------------
>
> Key: JAMES-3741
> URL: https://issues.apache.org/jira/browse/JAMES-3741
> Project: James Server
> Issue Type: Improvement
> Components: IMAPServer, POP3Server, SMTPServer
> Affects Versions: 3.7.0
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: master
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Exception seen on 3.7.x... Context performance tests with several new SSL connections opened per seconds (high concurrency).
> {code:java}
> 21:34:28.460 [WARN ] o.a.j.i.n.ImapChannelUpstreamHandler - Error while processing imap request
> javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
> at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1894)
> at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
> at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
> at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
> ... 24 common frames omitted
> {code}
> Can be reliably reproduced by opening many new SSL connections concurrently:
> {code:java}
> @Nested
> class Toto {
> IMAPServer imapServer;
> int port;
> @BeforeEach
> void setup() throws Exception {
> HierarchicalConfiguration<ImmutableNode> config = ConfigLoader.getConfig(ClassLoaderUtils.getSystemResourceAsSharedStream("imapSSL.xml"));
> imapServer = createImapServer(config);
> port = imapServer.getListenAddresses().get(0).getPort();
> }
> @AfterEach
> void tearDown() {
> if (imapServer != null) {
> imapServer.destroy();
> }
> }
> @Test
> void test() throws Exception {
> ConcurrentTestRunner.builder()
> .operation((a, b) -> {
> IMAPSClient imapsClient = imapsImplicitClient(port);
> final boolean capability = imapsClient.capability();
> assertThat(capability).isTrue();
> final boolean close = imapsClient.close();
> })
> .threadCount(10)
> .operationCount(3000)
> .runSuccessfullyWithin(Duration.ofMinutes(10));
> }
> private IMAPSClient imapsImplicitClient(int port) throws Exception {
> IMAPSClient client = new IMAPSClient(true, BogusSslContextFactory.getClientContext());
> client.setTrustManager(BogusTrustManagerFactory.getTrustManagers()[0]);
> client.connect("127.0.0.1", port);
> return client;
> }
> }
> {code}
> and `imapSSL.xml` being:
> {code:java}
> <imapserver enabled="true">
> <jmxName>imapserver</jmxName>
> <bind>0.0.0.0:9993</bind>
> <tls socketTLS="true" startTLS="false">
> <privateKey>private.key</privateKey>
> <certificates>certs.self-signed.csr</certificates>
> <secret>123456</secret>
> </tls>
> <auth>
> <plainAuthEnabled>true</plainAuthEnabled>
> <requireSSL>true</requireSSL>
> </auth>
> </imapserver>
> {code}
> Interestingly enough the Netty4 migration post 3.7.x fixed the issue.
> Thus it will be fixed in later releases yet it seemed interesting to me to document the issue.
> I propose to add a non-regression test on master.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org