You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Guus der Kinderen (JIRA)" <ji...@apache.org> on 2017/10/06 20:12:00 UTC

[jira] [Created] (DIRMINA-1072) SslFilter does not account for SSLEngine runtime exceptions

Guus der Kinderen created DIRMINA-1072:
------------------------------------------

             Summary: SslFilter does not account for SSLEngine runtime exceptions
                 Key: DIRMINA-1072
                 URL: https://issues.apache.org/jira/browse/DIRMINA-1072
             Project: MINA
          Issue Type: Bug
          Components: SSL
    Affects Versions: 2.0.16
            Reporter: Guus der Kinderen
         Attachments: sslengine-exception.patch

Mina's {{SslFilter}} wraps Mina's {{SslHandler}}, which itself wraps Java's {{SSLEngine}}.

{{SslFilter}} does not catch runtime exceptions that are thrown by {{SSLEngine}} - I am unsure if this is by design.

Ideally, we'd prevent the engine to get into a state where it can throw such exceptions, but I'm not sure if that's completely feasible.

None-the-less, I'm here providing an improvement that prevents at least one occurrence of an unchecked exception from being thrown (instead, my patch preemptively throws an {{SSLException}} that is then caught by the exception handling that's already in place).

An alternative to this fix could be an additional catch block, that handles unchecked exceptions.

The scenario that is causing the unchecked exception that is caught by this patch, is this:
* client connects, causes an SslFilter to be initialized, which causes the SSLEngine to begin its handshake
* server shuts down the input (for instance, for inactivity, or as a side-effect of resource starvation)
* client sends data

The corresponding stack trace starts with this:
{code}java.lang.IllegalStateException: Internal error
        at sun.security.ssl.SSLEngineImpl.initHandshaker(SSLEngineImpl.java:470)
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1007)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624){code}

Inspiration for this fix was obtain from the Jetty project, notably, this change: https://github.com/eclipse/jetty.project/issues/1228



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)