[
https://issues.apache.org/jira/browse/DIRMINA-1132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17394864#comment-17394864
]
Jonathan Valliere edited comment on DIRMINA-1132 at 8/6/21, 4:30 PM:
---------------------------------------------------------------------
[~canberkizgi]
* {{setUseClientMode()}} is no longer needed because client mode is
automatically determined by the type of {{IoSession}}. An {{IoSession}}
created by the {{IoConnector}} will automatically start in client mode. The
new API {{IoSession#isServer()}} simplifies the determination as to whether the
{{IoSession}} is owned by a server or not.
* {{isSslStarted()}} is no longer needed because SSL will automatically start
when added to the filter-chain for client mode {{IoSessions}}. The moment the
filter is added to the chain, you assume that the SSL has begun. The SSL
process should be completely transparent; you should not have to engineer
solutions based on knowing the internal state of the SSL. If you have to know
the internal state of the SSL then I've designed something poorly.
* {{getSslSession()}} can be added back in another form if necessary; if you
want to configure the {{SSLSession}} before handshaking all you need to do is
extend {{SSL2Filter#createEngine()}} to apply your own config.
* {{PEER_ADDRESS}} is determined automatically by reading the IoSession
address. This could be added back if justifiable.
* {{DISABLE_ENCRYPTION_ONCE}} is completely thread unsafe because there is
never any order guarantee that the next message is the one you want to not
encrypt. I'm also not sure what the particular usage scenario is for this. If
this functionality is absolutely necessary, then some kind of
DoNotEncryptWriteRequest would need to be added.
* {{USE_NOTIFICATION}} (while IMHO is completely unnecessary) is enabled by
default; the notification event is dispatched and the session attribute
{{SSL_SECURED}} is set to NOT NULL. Otherwise, it is perfectly safe to write
messages at any time after the SSL2 filter has been added to the filter-chain.
The old SSL package will be completely removed from 2.2.X forward. The new
SSL2 package will become the default SSL implementation for MINA. The old SSL
package was very weirdly designed from the start and many many patches were
added trying to save it from itself. Kind of like slapping duct tape on a
sinking boat. Our boat was more duct tape than boat at this point. Unresolved
SSL bugs were a large percentage of the open and unresolved issues in MINA.
This led to something that was completely unmanageable and should not represent
the code quality we are striving for moving forward.
My goal here is to end up with something which is cleanly written an
extendable. It is my preference to have the design allow users to extend the
package to implement their own features rather than adding features only one
organization uses to the mainline.
was (Author: johnnyv):
[~canberkizgi]
* {{setUseClientMode()}} is no longer needed because client mode is
automatically determined by the type of {{IoSession}}. An {{IoSession}}
created by the {{IoConnector}} will automatically start in client mode. The
new API {{IoSession#isServer()}} simplifies the determination as to whether the
{{IoSession}} is owned by a server or not.
* {{isSslStarted()}} is no longer needed because SSL will automatically start
when added to the filter-chain for client mode {{IoSessions}}. The moment the
filter is added to the chain, you assume that the SSL has begun. The SSL
process should be completely transparent; you should not have to engineer
solutions based on knowing the internal state of the SSL. If you have to know
the internal state of the SSL then I've designed something poorly.
* {{getSslSession()}} can be added back in another form if necessary; if you
want to configure the {{SSLSession}} before handshaking all you need to do is
extend {{SSL2Filter#onEngineCreated()}} to apply your own config.
* {{PEER_ADDRESS}} is determined automatically by reading the IoSession
address. This could be added back if justifiable.
* {{DISABLE_ENCRYPTION_ONCE}} is completely thread unsafe because there is
never any order guarantee that the next message is the one you want to not
encrypt. I'm also not sure what the particular usage scenario is for this. If
this functionality is absolutely necessary, then some kind of
DoNotEncryptWriteRequest would need to be added.
* {{USE_NOTIFICATION}} (while IMHO is completely unnecessary) is enabled by
default; the notification event is dispatched and the session attribute
{{SSL_SECURED}} is set to NOT NULL. Otherwise, it is perfectly safe to write
messages at any time after the SSL2 filter has been added to the filter-chain.
The old SSL package will be completely removed from 2.2.X forward. The new
SSL2 package will become the default SSL implementation for MINA. The old SSL
package was very weirdly designed from the start and many many patches were
added trying to save it from itself. Kind of like slapping duct tape on a
sinking boat. Our boat was more duct tape than boat at this point. Unresolved
SSL bugs were a large percentage of the open and unresolved issues in MINA.
This led to something that was completely unmanageable and should not represent
the code quality we are striving for moving forward.
My goal here is to end up with something which is cleanly written an
extendable. It is my preference to have the design allow users to extend the
package to implement their own features rather than adding features only one
organization uses to the mainline.
> TLSv1.3 - MINA randomly fails in reading the message sent by client
> -------------------------------------------------------------------
>
> Key: DIRMINA-1132
> URL: https://issues.apache.org/jira/browse/DIRMINA-1132
> Project: MINA
> Issue Type: Bug
> Components: Core, SSL
> Affects Versions: 2.0.21
> Environment: Operating System: Windows 10 1903
> Java Version: jdk-11.0.7, jdk-12.0.2
> Reporter: Venkata Kishore Tavva
> Assignee: Jonathan Valliere
> Priority: Critical
> Fix For: 2.2.0
>
> Attachments: console.log, example-project.zip, keyStore.pfx,
> trustStore.pfx
>
>
> While trying to Implement TLSv1.3 in our systems, we found an issue with Mina
> Core dependency. For TLSv1.2 we never had the issue. But with TLSv1.3,
> randomly the message sent by the client is discarded. In such scenarios, the
> server waits for session to pass idle timeout and closes the session. Please
> find the sample code below:
> {code:java}
> import org.apache.mina.core.service.IoHandlerAdapter;
> import org.apache.mina.core.session.IdleStatus;
> import org.apache.mina.core.session.IoSession;
> import org.apache.mina.filter.ssl.SslFilter;
> import org.apache.mina.transport.socket.SocketAcceptor;
> import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
> import javax.net.ssl.*;
> import java.io.*;
> import java.net.InetSocketAddress;
> import java.security.KeyStore;
> public class Main {
> public static void main(String[] args) throws Exception {
> System.setProperty("javax.net.debug","all");
> KeyManagerFactory keyManagerFactory;
> try(FileInputStream fis = new FileInputStream("keyStore.pfx")) {
> keyManagerFactory =
> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> KeyStore keyStore = KeyStore.getInstance("PKCS12");
> keyStore.load(fis, "passphrase".toCharArray());
> keyManagerFactory.init(keyStore, "passphrase".toCharArray());
> }
> TrustManagerFactory trustManagerFactory;
> try(FileInputStream fis = new FileInputStream("trustStore.pfx")){
> trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
> KeyStore trustStore = KeyStore.getInstance("PKCS12");
> trustStore.load(fis, "passphrase".toCharArray());
> trustManagerFactory.init(trustStore);
> }
> SSLContext context = SSLContext.getInstance("TLSv1.3");
> context.init(keyManagerFactory.getKeyManagers(),
> trustManagerFactory.getTrustManagers(), null);
> SslFilter filter = new SslFilter(context);
> filter.setEnabledProtocols(new String[]{"TLSv1.3"});
> filter.setEnabledCipherSuites(new String[]{"TLS_AES_128_GCM_SHA256",
> "TLS_AES_256_GCM_SHA384"});
> SocketAcceptor acceptor = new NioSocketAcceptor();
> acceptor.setReuseAddress(true);
> acceptor.getFilterChain().addLast("sslFilter", filter);
> acceptor.setHandler( new ServerHandler());
> acceptor.bind(new InetSocketAddress(53001));
> System.out.println("Server started on Port : 53001");
> System.out.println("Start sending data using cUrl below:");
> System.out.println("-> curl --location --insecure --tlsv1.3 --ipv4
> 'https://localhost:53001' --data-raw 'Sample Text'");
> }
> }
> class ServerHandler extends IoHandlerAdapter {
> @Override
> public void sessionCreated(IoSession session) {
> System.out.println( "\nSession created : " + session);
> }
> @Override
> public void sessionOpened(IoSession session) {
> System.out.println( "Session opened : " + session);
> session.getConfig().setIdleTime(IdleStatus.BOTH_IDLE, 60);
> }
> @Override
> public void sessionClosed(IoSession session) {
> System.out.println( "Session closed : " + session);
> session.closeNow();
> }
> @Override
> public void sessionIdle(IoSession session, IdleStatus status) {
> System.out.println( "==========================" );
> System.out.println( "Session is idle for 60 secs hence closing session:
> " + session.getRemoteAddress());
> System.out.println( "==========================" );
> session.closeNow();
> }
> @Override
> public void exceptionCaught(IoSession session, Throwable cause) {
> System.out.println("Exception :\n");
> cause.printStackTrace();
> session.closeNow();
> }
> @Override
> public void messageReceived(IoSession session, Object message) {
> System.out.println("Message Received!!!");
> //do further processing on @param{message}
> session.closeOnFlush();
> }
> }
> {code}
> Note: Try sending the request multiple times and randomly the sent message is
> some have not properly read. Observe that the session id *0x00000003* fails
> with the error.
> {code:java}
> Console Output:
> > java.exe -cp * Main
> Server started on Port : 53001
> Start sending data using cUrl below:
> -> curl --location --insecure --tlsv1.3 --ipv4 'https://localhost:53001'
> --data-raw 'Sample Text'
> Session created : (0x00000001: nio socket, server, /127.0.0.1:56639 =>
> /127.0.0.1:53001)
> Session opened : (0x00000001: nio socket, server, /127.0.0.1:56639 =>
> /127.0.0.1:53001)
> Message Received!!!
> Session closed : (0x00000001: nio socket, server, null =>
> 0.0.0.0/0.0.0.0:53001)Session created : (0x00000002: nio socket, server,
> /127.0.0.1:56651 => /127.0.0.1:53001)
> Session opened : (0x00000002: nio socket, server, /127.0.0.1:56651 =>
> /127.0.0.1:53001)
> Message Received!!!
> Session closed : (0x00000002: nio socket, server, null =>
> 0.0.0.0/0.0.0.0:53001)Session created : (0x00000003: nio socket, server,
> /127.0.0.1:56656 => /127.0.0.1:53001)
> Session opened : (0x00000003: nio socket, server, /127.0.0.1:56656 =>
> /127.0.0.1:53001)
> ==========================
> Session is idle for 60 secs hence closing session: /127.0.0.1:56656
> ==========================
> Session closed : (0x00000003: nio socket, server, null =>
> 0.0.0.0/0.0.0.0:53001)Session created : (0x00000004: nio socket, server,
> /127.0.0.1:56849 => /127.0.0.1:53001)
> Session opened : (0x00000004: nio socket, server, /127.0.0.1:56849 =>
> /127.0.0.1:53001)
> Message Received!!!
> Session closed : (0x00000004: nio socket, server, null =>
> 0.0.0.0/0.0.0.0:53001)Session created : (0x00000005: nio socket, server,
> /127.0.0.1:56860 => /127.0.0.1:53001)
> Session opened : (0x00000005: nio socket, server, /127.0.0.1:56860 =>
> /127.0.0.1:53001)
> Message Received!!!
> Session closed : (0x00000005: nio socket, server, null =>
> 0.0.0.0/0.0.0.0:53001)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
