Re: Exception in filter (was: Re: [Vote] MINA 2.2.0 release)

Emmanuel Lécharny Tue, 12 Jul 2022 21:37:59 -0700

Here are some of my current findings.

For the (failing) test shouldFailWhenUsingBadClientCertificate, here arethe traces we get:

juil. 13, 2022 6:28:42 AM org.apache.mina.filter.ssl.SSLHandlerG0execute_taskGRAVE: SSLHandlerG0@ae273e3[mode=server, connected=false] task() -storing error {}javax.net.ssl.SSLHandshakeException: PKIX path validation failed:java.security.cert.CertPathValidatorException: signature check failed

        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

atjava.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)atjava.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)atjava.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)atjava.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)atjava.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)atjava.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)

        at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)

atjava.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)atjava.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)atjava.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)

        at java.base/java.security.AccessController.doPrivileged(Native Method)

atjava.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)atorg.apache.mina.filter.ssl.SSLHandlerG0.execute_task(SSLHandlerG0.java:743)atorg.apache.mina.filter.ssl.SSLHandlerG0.receive_loop(SSLHandlerG0.java:255)

        at 
org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162)
        at 
org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342)

atorg.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)atorg.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)atorg.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)atorg.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)atorg.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)atorg.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)atorg.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)atorg.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)atorg.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)atorg.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)atorg.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)atorg.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)atorg.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)atorg.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)atorg.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)atorg.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)atjava.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)atjava.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

        at java.base/java.lang.Thread.run(Thread.java:829)

Caused by: sun.security.validator.ValidatorException: PKIX pathvalidation failed: java.security.cert.CertPathValidatorException:signature check failedatjava.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)atjava.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)

        at 
java.base/sun.security.validator.Validator.validate(Validator.java:264)

atjava.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)atjava.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233)atjava.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:104)atquickfix.mina.ssl.X509TrustManagerWrapper.checkClientTrusted(X509TrustManagerWrapper.java:60)atjava.base/sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:1517)atjava.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)

        ... 31 more

Caused by: java.security.cert.CertPathValidatorException: signaturecheck failedatjava.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)atjava.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)atjava.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)atjava.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)atjava.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)atjava.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)

        ... 39 more
Caused by: java.security.SignatureException: Signature does not match.
        at 
java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422)

atjava.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)atjava.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)atjava.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)

        ... 44 more

juil. 13, 2022 6:28:42 AMquickfix.mina.ssl.SSLCertificateTest$TestConnector$1 exceptionCaught

INFOS: exceptionCaught

javax.net.ssl.SSLHandshakeException: PKIX path validation failed:java.security.cert.CertPathValidatorException: signature check failed

        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

        at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)

        at java.base/java.security.AccessController.doPrivileged(Native Method)

        at 
org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162)
        at 
org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342)

        at java.base/java.lang.Thread.run(Thread.java:829)

        at 
java.base/sun.security.validator.Validator.validate(Validator.java:264)

        ... 31 more

        ... 39 more
Caused by: java.security.SignatureException: Signature does not match.
        at 
java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422)

        ... 44 more



As we can see, there is a log:

juil. 13, 2022 6:28:42 AMquickfix.mina.ssl.SSLCertificateTest$TestConnector$1 exceptionCaught

INFOS: exceptionCaught

javax.net.ssl.SSLHandshakeException: PKIX path validation failed:java.security.cert.CertPathValidatorException: signature check failed

saying that the client has actually received a rooted exception (here,the PKIX path validation failed).

OTOH, it seems that the connector does not properly handle thisexception, ie the alert message is not propagated to the exceptionCaughthandler on the client side.



That is the part to be investigated, IMO.


On 13/07/2022 05:29, Emmanuel Lécharny wrote:

Never mind, I'm set up now, and in debug mode. All is good !

On 13/07/2022 00:47, Emmanuel Lécharny wrote:
Hi Christoph,
I'm trying to ran the failing tests on my machine (eclipse with Java8 and Java 11), and I'll probably need some assistance.
I'm using the chrjohn-mina-2.2.0 branch. It seems that the generatedcode is not stored at the proper place.
Any clue?


On 09/07/2022 11:49, Christoph John wrote:
Thanks. Anything I can do to assist? Although I might only find timethe week after next because am currently on vacation.
Jul 9, 2022 09:00:21 Emmanuel Lécharny <[email protected]>:
I do think we need to have a look at it (and I may find some time todo it too, as I'm in vacation in the coming week)
However, I think we should get this 2.0 out. Ther eis no problem inreleasing a fix if needed.
Thanks !

On 09/07/2022 07:17, Jonathan Valliere wrote:
Sooo… do I need to look into this or was this resolved?
On Fri, Jul 8, 2022 at 11:51 PM Emmanuel Lécharny<[email protected] <mailto:[email protected]>> wrote:
     The changes I did were to ensure that any ouutbound data are sent
     when a
TLS erroroccurs, because the Alert must be sent no matterwhat. This is
     critical for a client to know what is the cause of the failure
     (typically when a bad certificate is provided - expired, revoked,
     etc -):
     https://datatracker.ietf.org/doc/html/rfc5246#section-7.2
     <https://datatracker.ietf.org/doc/html/rfc5246#section-7.2>
I also checked that in this case an exception is propagated upto the
     IoHandler for teh server to be informed about the situuation.

     On 06/07/2022 12:42, Jonathan Valliere wrote:
      >   What test are you trying?  Emmanuel made changes from the
     original design
> to cause it to throw on the filter. My original designthrew on
     the filter
      > but only during a subsequent read or write action thereby
     enforcing strong
      > concurrency within the pipeline.
      >
      > On Jul 6, 2022 at 3:53:57 AM, Christoph John
      > <[email protected]
     <mailto:[email protected]>.invalid> wrote:
      >
      >> Ok, the tests in QuickFIX/J which expect the exception to be
     caught in a
      >> filter still don't work.
>> I recall that you also did some changes in other Apacheprojects
     to make
>> it work with MINA 2.2.0. Could it be that I also need toadapt
     something in
      >> this regard?
      >>
      >> Thanks
      >> Chris
      >>
      >> Jul 5, 2022 18:47:09 Emmanuel Lécharny <[email protected]
     <mailto:[email protected]>>:
      >>
      >> I have tested that the exception gets propagated before
     launching the vote
      >> to be clear :-)
      >>
      >>
      >> On 05/07/2022 18:17, Christoph John wrote:
      >>
      >>> Sorry, no. The last message regarding this was:
      >>
      >>>
      >>
      >>> ----------snip---------
      >>
      >>>
      >>
      >>> 11.04.2022 09:37:30 Emmanuel Lécharny <[email protected]
     <mailto:[email protected]>>:
      >>
      >>> Hi Christophe,
      >>
      >>> sorry, my late mail was off base.
      >>
>>> The pb here is that the SSLEngine excpeiton is notpropagated
     to the
      >> handler, when it should.
      >>
      >>> My guess is that we have some missing call somewhere in the
     stack. I'm
      >> going to check that out.
      >>
      >>> On 11/04/2022 00:15, Christoph John wrote:
      >>
      >>>> Hi,
      >>
      >>>> thanks Jonathan and Emmanuel for working on this!
      >>
      >>>> I tried to integrate this into QuickFIX/J and it compiles
     successfully.
>> However there are some tests failing that expect anException.
     For example
      >> we have
      >>
      >>>>
      >>
https://github.com/quickfix-j/quickfixj/blob/b6a822a46a5278dcd0985a5a77299ed03168ab03/quickfixj-core/src/test/java/quickfix/mina/ssl/SecureSocketTest.java#L54<https://github.com/quickfix-j/quickfixj/blob/b6a822a46a5278dcd0985a5a77299ed03168ab03/quickfixj-core/src/test/java/quickfix/mina/ssl/SecureSocketTest.java#L54>
      >>
      >>>> Up to now it was tried to get the Exception via a filter in
     the chain.
      >> This no longer seems to work but I think I can see the error
     getting thrown
      >> in the log:
      >>
      >>>> SEVERE: SSLHandlerG0@590ec99c[mode=server, connected=false]
     task() -
      >> storing error {}
      >>
      >>>> javax.net.ssl.SSLHandshakeException: No available
     authentication scheme
      >>
      >>>>      at
>>java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
      >>
      >>>>      at
>>java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:358)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:305)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:972)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:961)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1246)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1182)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:840)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:801)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
      >>
      >>>>      at
      >>
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
      >>
      >>>>      at
      >>
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
      >>
      >>>>      at
      >>
org.apache.mina.filter.ssl.SSLHandlerG0.execute_task(SSLHandlerG0.java:743)
      >>
      >>>>      at
      >>
org.apache.mina.filter.ssl.SSLHandlerG0.receive_loop(SSLHandlerG0.java:255)
      >>
      >>>>      at
      >>
org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162)
      >>
      >>>>      at
      >>
org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342)
      >>
      >>>>      at
      >>
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
      >>
      >>>>      at
      >>
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
      >>
      >>>>      at
      >>
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
      >>
      >>>>      at
      >>
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
      >>
      >>>>      at
      >>
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
      >>
      >>>>      at
      >>
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
      >>
      >>>>      at
      >>
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
      >>
      >>>>      at
      >>
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
      >>
      >>>>      at
      >>
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
      >>
      >>>>      at
      >>
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
      >>
      >>>>      at
      >>
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
      >>
      >>>>      at
      >>
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
      >>
      >>>>      at
      >>
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
      >>
      >>>>      at
      >>
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
      >>
      >>>>      at java.base/java.lang.Thread.run(Thread.java:833)
      >>
      >>>> What is the new way to get this Exception?
      >>
>>>> NB: I recall discussing this with Jonathan some monthsago but
     seem to
      >> have lost track of the mail thread.
      >>
      >>>> Thanks in advance,
      >>
      >>>> Chris.
      >>
      >>>> On 09.04.22 00:26, Emmanuel Lécharny wrote:
      >>
      >>>>> Hi !
      >>
      >>>>>
      >>
      >>>>> I will start to cut a first milestone for the MINA
<https://www.google.com/maps/search/rt+to+cut+a+first+milestone+for+the+MINA?entry=gmail&source=g>
     2.2.X branch. It
      >> has been tested on Apache Ftpserver, Ldap API and Directory
     Server with
      >> success.
      >>
      >>>>>
      >>
      >>>>> There will probably be more milestone, but that would be a
     first step.
      >>
      >>>>>
      >>
      >>>>> The main changes are:
      >>
      >>>>> - a complete redesign of the TLS handling
      >>
>>>>> - the removal of the SslFilter.DISABLE_ENCRYPTION_ONCEattribute,
      >> which is either replaced by a dedicated filter, or the
     encapsulation of the
      >> message in a DisableEncryptWriteRequest interface
      >>
      >>>>>
      >>
      >>>>>
      >>
      >>>>> I'll do that this week-end.
      >>
      >>>>>
      >>
      >>>>> Thanks !
      >>
      >>>>
      >>
      >>>
      >>
      >>
      >> --
      >>
>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais –06200 NICE
      >>
      >> T. +33 (0)4 89 97 36 50
      >>
      >> P. +33 (0)6 08 33 32 61
      >>
>> [email protected]<mailto:[email protected]>
     https://www.busit.com/ <https://www.busit.com/>
      >>
      >>
      >>
---------------------------------------------------------------------
      >>
      >> To unsubscribe, e-mail: [email protected]
     <mailto:[email protected]>
      >>
      >> For additional commands, e-mail: [email protected]
     <mailto:[email protected]>
      >>
      >>
      >>
---------------------------------------------------------------------
      >> To unsubscribe, e-mail: [email protected]
     <mailto:[email protected]>
      >> For additional commands, e-mail: [email protected]
     <mailto:[email protected]>
      >>
      >>
      >
-- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais –06200 NICE
     T. +33 (0)4 89 97 36 50
     P. +33 (0)6 08 33 32 61
     [email protected] <mailto:[email protected]>
     https://www.busit.com/ <https://www.busit.com/>
---------------------------------------------------------------------
     To unsubscribe, e-mail: [email protected]
     <mailto:[email protected]>
     For additional commands, e-mail: [email protected]
     <mailto:[email protected]>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: Exception in filter (was: Re: [Vote] MINA 2.2.0 release)

Reply via email to