[jira] [Commented] (DIRMINA-1186) 2.2.4 release causes some failure during TLS message exchanges

Mon, 07 Apr 2025 00:11:49 -0700 


    [ 
https://issues.apache.org/jira/browse/DIRMINA-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17941474#comment-17941474
 ] 

Emmanuel Lécharny commented on DIRMINA-1186:
--------------------------------------------

Hi Jonathan,

I have no idea if the writer side has a thread pool, but we must assume it has.
The task execution should obviously be thread safe, and I can add the 
synchronized on the execute_task method.

I have an issue with the way it's globally work, from the top of my head since 
I haven't had time to look at the code in the past 2 monts, but I remember that 
there is a recursive call that many be removed. But again, this is from the top 
of my head...

> 2.2.4 release causes some failure during TLS message exchanges
> --------------------------------------------------------------
>
>                 Key: DIRMINA-1186
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1186
>             Project: MINA
>          Issue Type: Bug
>    Affects Versions: 2.2.4
>            Reporter: Emmanuel Lécharny
>            Priority: Blocker
>             Fix For: 2.2.5
>
>
> When sending big messages in Apache Directory Server (above the 16K TLS 
> packet limit), we get some error, like this one:
> {code:java}
> javax.net.ssl|SEVERE|12|NioProcessor-2|2025-02-13 05:05:37.219 
> CET|TransportContext.java:316|Fatal (BAD_RECORD_MAC): Tag mismatch! (
> "throwable" : {
>   javax.crypto.AEADBadTagException: Tag mismatch!
>       at 
> com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:620)
>       at 
> com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
>       at 
> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
>       at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941)
>       at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
>       at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779)
>       at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
>       at javax.crypto.Cipher.doFinal(Cipher.java:2463)
>       at 
> sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1606)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
>       at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
>       at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
>       at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
>       at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:250)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_start(SSLHandlerG1.java:201)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive(SSLHandlerG1.java:179)
>       at 
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:441)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
>       at 
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
>       at 
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)}
> )
> {code}
> This never happens in 2.2.2 or 2.2.3. I think there a regression has been 
> introduced in the rewritten SslFilter and the associated classes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to