[jira] [Commented] (DIRMINA-1186) 2.2.4 release causes some failure during TLS message exchanges

[Jira]

    [ 
https://issues.apache.org/jira/browse/DIRMINA-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17927093#comment-17927093
 ] 

Emmanuel Lécharny commented on DIRMINA-1186:
--------------------------------------------

At this point, I'm afraid we have to rollback the SshHandler modifications made 
that is now used in 2.2.4 back to the 2.2.2 version, which was solid, even if 
it was not working well with TLS 1.3.

The impact is server on many side projects (Apache Directory, and probably 
other).

I'm currently reviewing the current implementation which needs some love, but 
it's a dreadful and time consuming task, so I'm not sure to be able to come 
with a decent fix in a matter of days. So the rollback sounds preferable as a 
short term solution.

> 2.2.4 release causes some failure during TLS message exchanges
> --------------------------------------------------------------
>
>                 Key: DIRMINA-1186
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1186
>             Project: MINA
>          Issue Type: Bug
>    Affects Versions: 2.2.4
>            Reporter: Emmanuel Lécharny
>            Priority: Blocker
>             Fix For: 2.2.5
>
>
> When sending big messages in Apache Directory Server (above the 16K TLS 
> packet limit), we get some error, like this one:
> {code:java}
> javax.net.ssl|SEVERE|12|NioProcessor-2|2025-02-13 05:05:37.219 
> CET|TransportContext.java:316|Fatal (BAD_RECORD_MAC): Tag mismatch! (
> "throwable" : {
>   javax.crypto.AEADBadTagException: Tag mismatch!
>       at 
> com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:620)
>       at 
> com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
>       at 
> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
>       at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941)
>       at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
>       at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779)
>       at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
>       at javax.crypto.Cipher.doFinal(Cipher.java:2463)
>       at 
> sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1606)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
>       at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
>       at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
>       at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
>       at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:250)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_start(SSLHandlerG1.java:201)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive(SSLHandlerG1.java:179)
>       at 
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:441)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
>       at 
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
>       at 
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)}
> )
> {code}
> This never happens in 2.2.2 or 2.2.3. I think there a regression has been 
> introduced in the rewritten SslFilter and the associated classes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org