[jira] [Commented] (DIRMINA-1186) 2.2.4 release causes some failure during TLS message exchanges

Wed, 12 Feb 2025 20:53:09 -0800 


    [ 
https://issues.apache.org/jira/browse/DIRMINA-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17926660#comment-17926660
 ] 

Emmanuel Lécharny commented on DIRMINA-1186:
--------------------------------------------

Note that it is happening in the third recursive call to the 
{{SSLHandlerG1.receive_loop}} method, so I suspect there is some wrong buffer 
handling in this method..

> 2.2.4 release causes some failure during TLS message exchanges
> --------------------------------------------------------------
>
>                 Key: DIRMINA-1186
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1186
>             Project: MINA
>          Issue Type: Bug
>    Affects Versions: 2.2.4
>            Reporter: Emmanuel Lécharny
>            Priority: Blocker
>             Fix For: 2.2.5
>
>
> When sending big messages in Apache Directory Server (above the 16K TLS 
> packet limit), we get some error, like this one:
> {code:java}
> javax.net.ssl|SEVERE|12|NioProcessor-2|2025-02-13 05:05:37.219 
> CET|TransportContext.java:316|Fatal (BAD_RECORD_MAC): Tag mismatch! (
> "throwable" : {
>   javax.crypto.AEADBadTagException: Tag mismatch!
>       at 
> com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:620)
>       at 
> com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
>       at 
> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
>       at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941)
>       at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
>       at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779)
>       at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
>       at javax.crypto.Cipher.doFinal(Cipher.java:2463)
>       at 
> sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1606)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
>       at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
>       at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
>       at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
>       at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:250)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_start(SSLHandlerG1.java:201)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive(SSLHandlerG1.java:179)
>       at 
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:441)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
>       at 
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
>       at 
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)}
> )
> {code}
> This never happens in 2.2.2 or 2.2.3. I think there a regression has been 
> introduced in the rewritten SslFilter and the associated classes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to