Re: Change in behaviour of CompressionFilter

Tue, 26 Mar 2019 03:14:49 -0700

All tests are now passing green with my last commit in the write request branch. 

Feel free to have a look at it.


On 25/03/2019 19:12, Emmanuel Lécharny wrote:

Ok, I know what's the cause of this failure.


What happens when we process the handshake is that the SslFilter 
exchange some messages with the remote peer. Those messages have no 
reason to be transmitted to the application though the messageSent 
event, so teh SslFilter must swallow this event during the HS 
negotiation.



The problem is when the last HS message is written, the SslEngine is 
now in a state where it wan absorb encrypted messages, which must be 
sent back to the application through the messagSent event. The 
difficulty is that the last SSL HS message currently goes through the 
messageSent's SslFilter handler, and pop up to the application instead 
of being swallowed.



Previously, we were encapsulating such messages in a WriteRequest 
inherited class, and I removed this (useless) class. Obviously, I need 
a flag to 'mark' the HS messages and block them in the messageSent 
SSLMFilter handler.



Working on that atm.

On 25/03/2019 07:48, Emmanuel Lécharny wrote:

And here are the SSL debug traces :


...

0update handshake state: change_cipher_spec
0upcoming handshake states: server finished[20]
10: 01 00 D5 D2 05 1B C0 51   13 A6 40 EC 80 9F 2A 4C .......Q..@...*L
0020: EC D3 BF 1A 5B 4C 57 87   E3 D9 0B 35 2F 32 20 64 ....[LW....5/2 d
0030: DE 93 74 81 EA 08 9E C1   79 B2 7C 9D C8 E5 39 0D ..t.....y.....9.
0040: 5E 1A 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D ^...............
NioProcessor-2, WRITE: TLSv1.2 Alert, length = 80
[Raw write]: length = 85
0000: 15 03 03 00 50 95 AF BB   C6 73 1A CB 66 9B 80 8B ....P....s..f...
0010: 2A 15 9C 5D E2 22 C6 8E   6C E6 98 F9 56 AA 3B 4D *..]."..l...V.;M
0020: 7A 86 41 19 1A E1 05 E6   82 FD 27 21 2E 1A AD 63 z.A.......'!...c
0030: 08 C6 DF B7 B9 BC 13 72   AE E7 CE 66 EC A4 7A F9 .......r...f..z.
0040: 5C 9B F7 AA 84 95 03 E3   E3 A1 E3 44 E5 CD 9B 11 \..........D....
0050: FF 32 D1 46 DA                                     .2.F.
[Raw read]: length = 5
0000: 15 03 03 00 50                                     ....P
[Raw read]: length = 80
0000: 95 AF BB C6 73 1A CB 66   9B 80 8B 2A 15 9C 5D E2 ....s..f...*..].
0010: 22 C6 8E 6C E6 98 F9 56   AA 3B 4D 7A 86 41 19 1A "..l...V.;Mz.A..
0020: E1 05 E6 82 FD 27 21 2E   1A AD 63 08 C6 DF B7 B9 .....'!...c.....
0030: BC 13 72 AE E7 CE 66 EC   A4 7A F9 5C 9B F7 AA 84 ..r...f..z.\....
0040: 95 03 E3 E3 A1 E3 44 E5   CD 9B 11 FF 32 D1 46 DA ......D.....2.F.
main, READ: TLSv1.2 Alert, length = 80
Padded plaintext after DECRYPTION:  len = 80
0000: 6F 87 2A C3 50 2C C5 61   70 CE F7 D3 5F E8 DC 9B o.*.P,.ap..._...
0010: 01 00 D5 D2 05 1B C0 51   13 A6 40 EC 80 9F 2A 4C .......Q..@...*L
0020: EC D3 BF 1A 5B 4C 57 NioProcessor-2, called closeInbound()
87   E3 D9 0B 35 2F 32 20 64  ....[LW....5/2 d

NioProcessor-2, fatal error: 80: Inbound closed before receiving 
peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's 
close_notify: possible truncation attack?

%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]

0030: DE 93 74 81 EA 08 9E C1   79 B2 7C 9D C8 E5 39 0D 
..t.....NioProcessor-2, SEND TLSv1.2 ALERT:  fatal, description = 
internal_error
y.NioProcessor-2, Exception sending alert: java.io.IOException: 
writer side was already closed.

....9.
0040: 5E 1A 0D 0D 0D 0NioProcessor-2, called closeOutbound()
D 0D 0D   0DNioProcessor-2, closeOutboundInternal()
 0D 0D 0D 0D 0D 0D 0D  ^...............
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
main, SEND TLSv1.2 ALERT:  fatal, description = bad_record_mac
Padded plaintext before ENCRYPTION:  len = 80
0000: 6B 84 AC 13 A7 85 B0 16   18 B0 08 3B 37 F2 AE 0A k..........;7...
0010: 02 14 59 5D 17 A2 0A 96   09 F6 58 18 EA CC 04 3E ..Y]......X....>
0020: F2 68 34 FE 03 F5 0A 9A   93 52 AF 38 83 B6 13 80 .h4......R.8....
0030: D5 14 2E E6 E4 C9 FC B9   DC 35 9A A1 FF 33 69 FD .........5...3i.
0040: 86 07 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D ................
main, WRITE: TLSv1.2 Alert, length = 80
[Raw write]: length = 85
0000: 15 03 03 00 50 2A C2 E4   D1 E6 D6 71 FC 61 D5 44 ....P*.....q.a.D
0010: C8 72 9A AB 2A 56 51 70   7B C4 8F BA C8 79 EF D8 .r..*VQp.....y..
0020: E7 F3 DF 58 E0 53 CD C2   80 ED 8C 8D 1F DB 28 13 ...X.S........(.
0030: 91 1D 24 7E B5 29 A3 61   41 F9 9C 46 AD 58 FD BD ..$..).aA..F.X..
0040: D5 59 C9 0F 93 AA 9E C7   9D A4 3D 39 75 A1 28 08 .Y........=9u.(.
0050: 07 FE B9 6B F0                                     ...k.
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: bad record MAC






























					Reply via email to