Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
That's fine,you can use this code for 2.0.x -> 2.2.1 documentation. -- M.V.S.Kishore 91-9886412814 On Mon, 17 Apr 2023 at 20:46, Emmanuel Lécharny wrote: > Great! > > If you don't mind, I'd like to use this piece of code to document the > 2.0 -> 2.2 mogration. > > Just let me know if it's OK with you ! > > Thanks! > > On 17/04/2023 13:04, Kishore Mokkarala wrote: > > Thank you all for the help.Here is my SSL implementation for making it > work > > with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine. > > > > public class CustomSslFilter { > > public CustomSslFilter(SSLContext sslContext) { > > super(sslContext); > > } > > //Override CreateEngine > > protected SSLEngine createEngine(IoSession session, InetSocketAddress > > addr) { > > //Add your SNI host name and port in the IOSession > > SNIHostNames = (String)session.getAttribute( SNIHostNames ); > >PortNumber = (String)session.getAttribute( PortNumber ); > > InetSocketAddress peer = > > InetSocketAddress.createUnresolved(SNIHostNames,PortNumber); > > SSLEngine sslEngine = (addr != null) ? > > sslContext.createSSLEngine(peer.getHostString(), peer.getPort()) > > : sslContext.createSSLEngine(); > > > > // Always start with WANT, which will be squashed by NEED if > NEED is > > true. > > // Actually, it makes not a lot of sense to select NEED and WANT. > > NEED >> WANT... > > if (wantClientAuth) { > > sslEngine.setWantClientAuth(true); > > } > > > > if (needClientAuth) { > > sslEngine.setNeedClientAuth(true); > > } > > > > if (enabledCipherSuites != null) { > > sslEngine.setEnabledCipherSuites(enabledCipherSuites); > > } > > > > if (enabledProtocols != null) { > > sslEngine.setEnabledProtocols(enabledProtocols); > > } > > > > sslEngine.setUseClientMode(!session.isServer()); > > > > return sslEngine; > > } > > } > > > > > > IoSessionInitializer initializer = new > > IoSessionInitializer() { > > > > @Override > > public void initializeSession(IoSession session, > ConnectFuture > > future) { > > > > session.setAttribute( SNIHostNames , "example.com"); > > session.setAttribute( PortNumber , 8443); > > } > > }; > > > > try { > > NioSocketConnector connector = getConnector(); > > ioSession = connector.connect(address, > > initializer).awaitUninterruptibly().getSession(); > > } catch (RuntimeIoException eio) { > > initializationException = eio; > > } > > > > -- > > M.V.S.Kishore > > 91-9886412814 > > > > > > On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere > wrote: > > > >> Looking at the code for your existing filter it appears like you’re just > >> trying to create the SSLEngine so it can be reused for subsequent > >> connections by passing in the IP address and Port? > >> > >> This is already a feature in the new filter. > >> > >> > https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281 > >> > >> If you want to perform any customization during the SSL Engine setup, > just > >> override createEngine > >> > >> > >> On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala < > kishore@gmail.com> > >> wrote: > >> > >>> Currently we are using the following custom SSL filter for passing SNI > >> host > >>> name. For doing this we are using PEER_ADDRESS. > >>> This was available in apache mina 2.0.21 SslHandler.java,but this > >> attribute > >>> is not available in 2.2.10. > >>> This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP > address > >> to > >>> which it connects ,but this information is needed for the destination > >>> server. > >>> > >>> *Existing implementation : * > >>> > >>> SslFilter sslFilter; > >>> try { > >>> SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); > >>> * sslFilter = new CustomSslFilter(sslContext); //passing * > *PEER_ADDRESS > >>> in overridden onPreAdd*. > >>> sslFilter.setUseClientMode(true); > >>> connector.getFilterChain().addFirst("sslFilter", sslFilter); > >>> } catch (Exception e) { > >>> e.printStackTrace(); > >>> LOG.error("Exception during creating SSL context..." + > >>> XError.getStackTrace(e)); > >>> } > >>> connector.setHandler(ioHandler); > >>> > >>> *CustomSslFilter.java:* > >>> > >>> public class CustomSslFilter extends SslFilter > >>> { > >>> > >>> public CustomSslFilter(SSLContext sslContext) { > >>> super(sslContext, true); > >>> } > >>> > >>> @Override > >>> public void onPreAdd(IoFilterChain parent, String name, > >>> NextFilter nextFilter) throws SSLException { > >>> // Check that we don't have a SSL filter already present in > the > >>> chain > >>> if
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Great! If you don't mind, I'd like to use this piece of code to document the 2.0 -> 2.2 mogration. Just let me know if it's OK with you ! Thanks! On 17/04/2023 13:04, Kishore Mokkarala wrote: Thank you all for the help.Here is my SSL implementation for making it work with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine. public class CustomSslFilter { public CustomSslFilter(SSLContext sslContext) { super(sslContext); } //Override CreateEngine protected SSLEngine createEngine(IoSession session, InetSocketAddress addr) { //Add your SNI host name and port in the IOSession SNIHostNames = (String)session.getAttribute( SNIHostNames ); PortNumber = (String)session.getAttribute( PortNumber ); InetSocketAddress peer = InetSocketAddress.createUnresolved(SNIHostNames,PortNumber); SSLEngine sslEngine = (addr != null) ? sslContext.createSSLEngine(peer.getHostString(), peer.getPort()) : sslContext.createSSLEngine(); // Always start with WANT, which will be squashed by NEED if NEED is true. // Actually, it makes not a lot of sense to select NEED and WANT. NEED >> WANT... if (wantClientAuth) { sslEngine.setWantClientAuth(true); } if (needClientAuth) { sslEngine.setNeedClientAuth(true); } if (enabledCipherSuites != null) { sslEngine.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols != null) { sslEngine.setEnabledProtocols(enabledProtocols); } sslEngine.setUseClientMode(!session.isServer()); return sslEngine; } } IoSessionInitializer initializer = new IoSessionInitializer() { @Override public void initializeSession(IoSession session, ConnectFuture future) { session.setAttribute( SNIHostNames , "example.com"); session.setAttribute( PortNumber , 8443); } }; try { NioSocketConnector connector = getConnector(); ioSession = connector.connect(address, initializer).awaitUninterruptibly().getSession(); } catch (RuntimeIoException eio) { initializationException = eio; } -- M.V.S.Kishore 91-9886412814 On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere wrote: Looking at the code for your existing filter it appears like you’re just trying to create the SSLEngine so it can be reused for subsequent connections by passing in the IP address and Port? This is already a feature in the new filter. https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281 If you want to perform any customization during the SSL Engine setup, just override createEngine On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala wrote: Currently we are using the following custom SSL filter for passing SNI host name. For doing this we are using PEER_ADDRESS. This was available in apache mina 2.0.21 SslHandler.java,but this attribute is not available in 2.2.10. This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address to which it connects ,but this information is needed for the destination server. *Existing implementation : * SslFilter sslFilter; try { SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS in overridden onPreAdd*. sslFilter.setUseClientMode(true); connector.getFilterChain().addFirst("sslFilter", sslFilter); } catch (Exception e) { e.printStackTrace(); LOG.error("Exception during creating SSL context..." + XError.getStackTrace(e)); } connector.setHandler(ioHandler); *CustomSslFilter.java:* public class CustomSslFilter extends SslFilter { public CustomSslFilter(SSLContext sslContext) { super(sslContext, true); } @Override public void onPreAdd(IoFilterChain parent, String name, NextFilter nextFilter) throws SSLException { // Check that we don't have a SSL filter already present in the chain if (parent.contains(SslFilter.class)) { String msg = "Only one SSL filter is permitted in a chain."; LOGGER.error(msg); throw new IllegalStateException(msg); } IoSession session = parent.getSession(); Provider provider = (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY); InetSocketAddress probeAddress = InetSocketAddress.createUnresolved( *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber())); session.setAttribute(PEER_ADDRESS, probeAddress); super.onPreAdd(parent, name, nextFilter); } } We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I did but it is not working.Please do the needful. *Question:* How to pass this sni host name for creating SSLEngine? *Here is the new implementati
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Cool. That was easy. On Mon, Apr 17, 2023 at 11:05 AM Kishore Mokkarala wrote: > Thank you all for the help.Here is my SSL implementation for making it work > with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine. > > public class CustomSslFilter { > public CustomSslFilter(SSLContext sslContext) { > super(sslContext); > } > //Override CreateEngine > protected SSLEngine createEngine(IoSession session, InetSocketAddress > addr) { > //Add your SNI host name and port in the IOSession > SNIHostNames = (String)session.getAttribute( SNIHostNames ); > PortNumber = (String)session.getAttribute( PortNumber ); > InetSocketAddress peer = > InetSocketAddress.createUnresolved(SNIHostNames,PortNumber); >SSLEngine sslEngine = (addr != null) ? > sslContext.createSSLEngine(peer.getHostString(), peer.getPort()) >: sslContext.createSSLEngine(); > >// Always start with WANT, which will be squashed by NEED if NEED is > true. >// Actually, it makes not a lot of sense to select NEED and WANT. > NEED >> WANT... >if (wantClientAuth) { >sslEngine.setWantClientAuth(true); >} > >if (needClientAuth) { >sslEngine.setNeedClientAuth(true); >} > >if (enabledCipherSuites != null) { >sslEngine.setEnabledCipherSuites(enabledCipherSuites); >} > >if (enabledProtocols != null) { >sslEngine.setEnabledProtocols(enabledProtocols); >} > >sslEngine.setUseClientMode(!session.isServer()); > >return sslEngine; >} > } > > > IoSessionInitializer initializer = new > IoSessionInitializer() { > > @Override > public void initializeSession(IoSession session, ConnectFuture > future) { > > session.setAttribute( SNIHostNames , "example.com"); > session.setAttribute( PortNumber , 8443); > } > }; > > try { > NioSocketConnector connector = getConnector(); > ioSession = connector.connect(address, > initializer).awaitUninterruptibly().getSession(); > } catch (RuntimeIoException eio) { > initializationException = eio; > } > > -- > M.V.S.Kishore > 91-9886412814 > > > On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere > wrote: > > > Looking at the code for your existing filter it appears like you’re just > > trying to create the SSLEngine so it can be reused for subsequent > > connections by passing in the IP address and Port? > > > > This is already a feature in the new filter. > > > > > https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281 > > > > If you want to perform any customization during the SSL Engine setup, > just > > override createEngine > > > > > > On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala > > > wrote: > > > > > Currently we are using the following custom SSL filter for passing SNI > > host > > > name. For doing this we are using PEER_ADDRESS. > > > This was available in apache mina 2.0.21 SslHandler.java,but this > > attribute > > > is not available in 2.2.10. > > > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP > address > > to > > > which it connects ,but this information is needed for the destination > > > server. > > > > > > *Existing implementation : * > > > > > > SslFilter sslFilter; > > > try { > > > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); > > > * sslFilter = new CustomSslFilter(sslContext); //passing * > *PEER_ADDRESS > > > in overridden onPreAdd*. > > > sslFilter.setUseClientMode(true); > > > connector.getFilterChain().addFirst("sslFilter", sslFilter); > > > } catch (Exception e) { > > > e.printStackTrace(); > > > LOG.error("Exception during creating SSL context..." + > > > XError.getStackTrace(e)); > > > } > > > connector.setHandler(ioHandler); > > > > > > *CustomSslFilter.java:* > > > > > > public class CustomSslFilter extends SslFilter > > > { > > > > > > public CustomSslFilter(SSLContext sslContext) { > > > super(sslContext, true); > > > } > > > > > > @Override > > > public void onPreAdd(IoFilterChain parent, String name, > > > NextFilter nextFilter) throws SSLException { > > > // Check that we don't have a SSL filter already present in the > > > chain > > > if (parent.contains(SslFilter.class)) { > > > String msg = "Only one SSL filter is permitted in a > chain."; > > > LOGGER.error(msg); > > > throw new IllegalStateException(msg); > > > } > > > IoSession session = parent.getSession(); > > > Provider provider = > > > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY); > > > InetSocketAddress probeAddress = > > > InetSocketAddress.createUnresolved( > > > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber())); > > >
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Thank you all for the help.Here is my SSL implementation for making it work with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine. public class CustomSslFilter { public CustomSslFilter(SSLContext sslContext) { super(sslContext); } //Override CreateEngine protected SSLEngine createEngine(IoSession session, InetSocketAddress addr) { //Add your SNI host name and port in the IOSession SNIHostNames = (String)session.getAttribute( SNIHostNames ); PortNumber = (String)session.getAttribute( PortNumber ); InetSocketAddress peer = InetSocketAddress.createUnresolved(SNIHostNames,PortNumber); SSLEngine sslEngine = (addr != null) ? sslContext.createSSLEngine(peer.getHostString(), peer.getPort()) : sslContext.createSSLEngine(); // Always start with WANT, which will be squashed by NEED if NEED is true. // Actually, it makes not a lot of sense to select NEED and WANT. NEED >> WANT... if (wantClientAuth) { sslEngine.setWantClientAuth(true); } if (needClientAuth) { sslEngine.setNeedClientAuth(true); } if (enabledCipherSuites != null) { sslEngine.setEnabledCipherSuites(enabledCipherSuites); } if (enabledProtocols != null) { sslEngine.setEnabledProtocols(enabledProtocols); } sslEngine.setUseClientMode(!session.isServer()); return sslEngine; } } IoSessionInitializer initializer = new IoSessionInitializer() { @Override public void initializeSession(IoSession session, ConnectFuture future) { session.setAttribute( SNIHostNames , "example.com"); session.setAttribute( PortNumber , 8443); } }; try { NioSocketConnector connector = getConnector(); ioSession = connector.connect(address, initializer).awaitUninterruptibly().getSession(); } catch (RuntimeIoException eio) { initializationException = eio; } -- M.V.S.Kishore 91-9886412814 On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere wrote: > Looking at the code for your existing filter it appears like you’re just > trying to create the SSLEngine so it can be reused for subsequent > connections by passing in the IP address and Port? > > This is already a feature in the new filter. > > https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281 > > If you want to perform any customization during the SSL Engine setup, just > override createEngine > > > On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala > wrote: > > > Currently we are using the following custom SSL filter for passing SNI > host > > name. For doing this we are using PEER_ADDRESS. > > This was available in apache mina 2.0.21 SslHandler.java,but this > attribute > > is not available in 2.2.10. > > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address > to > > which it connects ,but this information is needed for the destination > > server. > > > > *Existing implementation : * > > > > SslFilter sslFilter; > > try { > > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); > > * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS > > in overridden onPreAdd*. > > sslFilter.setUseClientMode(true); > > connector.getFilterChain().addFirst("sslFilter", sslFilter); > > } catch (Exception e) { > > e.printStackTrace(); > > LOG.error("Exception during creating SSL context..." + > > XError.getStackTrace(e)); > > } > > connector.setHandler(ioHandler); > > > > *CustomSslFilter.java:* > > > > public class CustomSslFilter extends SslFilter > > { > > > > public CustomSslFilter(SSLContext sslContext) { > > super(sslContext, true); > > } > > > > @Override > > public void onPreAdd(IoFilterChain parent, String name, > > NextFilter nextFilter) throws SSLException { > > // Check that we don't have a SSL filter already present in the > > chain > > if (parent.contains(SslFilter.class)) { > > String msg = "Only one SSL filter is permitted in a chain."; > > LOGGER.error(msg); > > throw new IllegalStateException(msg); > > } > > IoSession session = parent.getSession(); > > Provider provider = > > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY); > > InetSocketAddress probeAddress = > > InetSocketAddress.createUnresolved( > > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber())); > > session.setAttribute(PEER_ADDRESS, probeAddress); > > super.onPreAdd(parent, name, nextFilter); > > } > > } > > > > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I > did > > but it is not working.Please do the needful. > > *Question:* > > How to pass this sni host name for creating SSLEngine? > > > > *Here is the new imple
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Looking at the code for your existing filter it appears like you’re just trying to create the SSLEngine so it can be reused for subsequent connections by passing in the IP address and Port? This is already a feature in the new filter. https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281 If you want to perform any customization during the SSL Engine setup, just override createEngine On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala wrote: > Currently we are using the following custom SSL filter for passing SNI host > name. For doing this we are using PEER_ADDRESS. > This was available in apache mina 2.0.21 SslHandler.java,but this attribute > is not available in 2.2.10. > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address to > which it connects ,but this information is needed for the destination > server. > > *Existing implementation : * > > SslFilter sslFilter; > try { > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); > * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS > in overridden onPreAdd*. > sslFilter.setUseClientMode(true); > connector.getFilterChain().addFirst("sslFilter", sslFilter); > } catch (Exception e) { > e.printStackTrace(); > LOG.error("Exception during creating SSL context..." + > XError.getStackTrace(e)); > } > connector.setHandler(ioHandler); > > *CustomSslFilter.java:* > > public class CustomSslFilter extends SslFilter > { > > public CustomSslFilter(SSLContext sslContext) { > super(sslContext, true); > } > > @Override > public void onPreAdd(IoFilterChain parent, String name, > NextFilter nextFilter) throws SSLException { > // Check that we don't have a SSL filter already present in the > chain > if (parent.contains(SslFilter.class)) { > String msg = "Only one SSL filter is permitted in a chain."; > LOGGER.error(msg); > throw new IllegalStateException(msg); > } > IoSession session = parent.getSession(); > Provider provider = > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY); > InetSocketAddress probeAddress = > InetSocketAddress.createUnresolved( > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber())); > session.setAttribute(PEER_ADDRESS, probeAddress); > super.onPreAdd(parent, name, nextFilter); > } > } > > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I did > but it is not working.Please do the needful. > *Question:* > How to pass this sni host name for creating SSLEngine? > > *Here is the new implementation changed as per new Mina 2.2.10 API:* > try{ > sslContext = javax.net.ssl.SSLContext.getDefault(); > SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*"); > List sniHostNames = new ArrayList<>(); > sniHostNames.add(sniHostName); > SSLParameters sslParams = sslContext.getDefaultSSLParameters(); > sslParams.setServerNames(sniHostNames); > sslFilter = new SslFilter(sslContext); > //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence > commented. > connector.getFilterChain().addFirst("sslFilter", sslFilter); > } catch (Exception e) { > e.printStackTrace(); > LOG.error("Exception during creating SSL context..." + > XError.getStackTrace(e)); > } > connector.setHandler(ioHandler); > > Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code : > > /* no qualifier */void init() throws SSLException { > if (sslEngine != null) { > // We already have a SSL engine created, no need to create a > new one > return; > } > if (LOGGER.isDebugEnabled()) { > LOGGER.debug("{} Initializing the SSL Handler", > sslFilter.getSessionInfo(session)); > } > InetSocketAddress peer = (InetSocketAddress) > session.getAttribute(SslFilter.PEER_ADDRESS); > // Create the SSL engine here > if (peer == null) { > sslEngine = sslFilter.sslContext.createSSLEngine(); > } else { > sslEngine = > sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort()); > } > // Initialize the engine in client mode if necessary > sslEngine.setUseClientMode(sslFilter.isUseClientMode()); > > > Regards, > -- > M.V.S.Kishore > 91-9886412814 > > > On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny > wrote: > > > Hi, > > > > On 12/04/2023 18:00, Kishore Mokkarala wrote: > > > Thanks Emmanuel for the quick response.I have few more questions on > the > > > upgrade.Please do the needful. > > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all > steps > > > do i need to follow ? > > > > There are two pages that explains the diffence between 2.0 and 2.1, and > > 2. and 2.2: > > * https://mina.apache.org/mina-project/2.1-vs-2.0.html > > * https://mina.apache.org/mina-p
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Currently we are using the following custom SSL filter for passing SNI host name. For doing this we are using PEER_ADDRESS. This was available in apache mina 2.0.21 SslHandler.java,but this attribute is not available in 2.2.10. This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address to which it connects ,but this information is needed for the destination server. *Existing implementation : * SslFilter sslFilter; try { SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS in overridden onPreAdd*. sslFilter.setUseClientMode(true); connector.getFilterChain().addFirst("sslFilter", sslFilter); } catch (Exception e) { e.printStackTrace(); LOG.error("Exception during creating SSL context..." + XError.getStackTrace(e)); } connector.setHandler(ioHandler); *CustomSslFilter.java:* public class CustomSslFilter extends SslFilter { public CustomSslFilter(SSLContext sslContext) { super(sslContext, true); } @Override public void onPreAdd(IoFilterChain parent, String name, NextFilter nextFilter) throws SSLException { // Check that we don't have a SSL filter already present in the chain if (parent.contains(SslFilter.class)) { String msg = "Only one SSL filter is permitted in a chain."; LOGGER.error(msg); throw new IllegalStateException(msg); } IoSession session = parent.getSession(); Provider provider = (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY); InetSocketAddress probeAddress = InetSocketAddress.createUnresolved( *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber())); session.setAttribute(PEER_ADDRESS, probeAddress); super.onPreAdd(parent, name, nextFilter); } } We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I did but it is not working.Please do the needful. *Question:* How to pass this sni host name for creating SSLEngine? *Here is the new implementation changed as per new Mina 2.2.10 API:* try{ sslContext = javax.net.ssl.SSLContext.getDefault(); SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*"); List sniHostNames = new ArrayList<>(); sniHostNames.add(sniHostName); SSLParameters sslParams = sslContext.getDefaultSSLParameters(); sslParams.setServerNames(sniHostNames); sslFilter = new SslFilter(sslContext); //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence commented. connector.getFilterChain().addFirst("sslFilter", sslFilter); } catch (Exception e) { e.printStackTrace(); LOG.error("Exception during creating SSL context..." + XError.getStackTrace(e)); } connector.setHandler(ioHandler); Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code : /* no qualifier */void init() throws SSLException { if (sslEngine != null) { // We already have a SSL engine created, no need to create a new one return; } if (LOGGER.isDebugEnabled()) { LOGGER.debug("{} Initializing the SSL Handler", sslFilter.getSessionInfo(session)); } InetSocketAddress peer = (InetSocketAddress) session.getAttribute(SslFilter.PEER_ADDRESS); // Create the SSL engine here if (peer == null) { sslEngine = sslFilter.sslContext.createSSLEngine(); } else { sslEngine = sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort()); } // Initialize the engine in client mode if necessary sslEngine.setUseClientMode(sslFilter.isUseClientMode()); Regards, -- M.V.S.Kishore 91-9886412814 On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny wrote: > Hi, > > On 12/04/2023 18:00, Kishore Mokkarala wrote: > > Thanks Emmanuel for the quick response.I have few more questions on the > > upgrade.Please do the needful. > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps > > do i need to follow ? > > There are two pages that explains the diffence between 2.0 and 2.1, and > 2. and 2.2: > * https://mina.apache.org/mina-project/2.1-vs-2.0.html > * https://mina.apache.org/mina-project/2.2-vs-2.1.html > > The 2.1 vs 2.0 difference is mainly about the way we detect a secured > session. It's pretty trivial. > > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were using > startTLS. > > Otherwise, it's pretty straightforward. > > ALso note that teh SSL handler has been completeley reworked in 2.2. > > > Is it just a jar file change in the classpath or do i need to do any > more > > changes ? > > It should be just about changing the jar. > > > > Also we are also using https for communication ? in this case what all > > changes are needed ? > > Nothing, AFAICT. > > > I have seen there is a change the way we pass the SNI host name in 2.0.21 > > vs 2.2.1 ? > > Hmmm, not that I remeber. Do you have any pointer? > > > First of all is it
Re: Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Hi, On 12/04/2023 18:00, Kishore Mokkarala wrote: Thanks Emmanuel for the quick response.I have few more questions on the upgrade.Please do the needful. If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps do i need to follow ? There are two pages that explains the diffence between 2.0 and 2.1, and 2. and 2.2: * https://mina.apache.org/mina-project/2.1-vs-2.0.html * https://mina.apache.org/mina-project/2.2-vs-2.1.html The 2.1 vs 2.0 difference is mainly about the way we detect a secured session. It's pretty trivial. The 2.2. vs 2.1 migration is a bit more complicated, *if* you were using startTLS. Otherwise, it's pretty straightforward. ALso note that teh SSL handler has been completeley reworked in 2.2. Is it just a jar file change in the classpath or do i need to do any more changes ? It should be just about changing the jar. Also we are also using https for communication ? in this case what all changes are needed ? Nothing, AFAICT. I have seen there is a change the way we pass the SNI host name in 2.0.21 vs 2.2.1 ? Hmmm, not that I remeber. Do you have any pointer? First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ? Oh yes! Simply because the SSL rewrite was necessary, also because 2.2 branch is clearly the one we maintain. will the state machine work without doing any changes ? It should not have changed. Hope it helps. Regards, -- M.V.S.Kishore On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny wrote: Hi, Mina 2.0 branch is pretty old (5 years) and we have made significant changes in the 2.1 and more important the 2.2 branches. You should seriously consider migrating to 2.2. That being said: - 40 seconds to do whatever that was taking a few milliseconds snounds like a major regression, aka bug. - If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes little sense. The CVE only impacts the HTTP decoder. In other words, if it's working, don't break it... - We don't have enough context to tell you what could go wrong in your code. If you provide some piece of code we can run, we can investigate, otherwise it's like shouting in the dark... Typically, we have no clue about what the gpbMessageFilter does. On 10/04/2023 13:37, Kishore Mokkarala wrote: Hi, There was a security vulnerability in mina 2.0.21,So we were migrated from apache mina 2.0.21 to 2.0.23,locally in the dev environment everything looks good, but in production we are facing connection timeout issue with the mina version 2.0.23. For connection set up it was taking 10-20 milliseconds (less than a second) with the old version (2.0.21). With the new version even after 40 seconds connection was timed out. We use the same NioSocketConnector instance for opening 100 parallel connections. *Question:* *My query is why it is taking more time more than 40 seconds for opening the socket with the new version ?* We are not using https communication. *Could you please suggest a work around.* What's happening in the below code is mina is time out after 40 seconds and also IO session has been created using state machine in separate threads,both are running in two parallel threads,This issue is not seen with the mina 2.0.21 version. *Here is the code snippet.* private static final ExecutorFilter executorFilter = new ExecutorFilter(16,32); StateMachine stateMachine = StateMachineFactory.getInstance(IoHandlerTransition.class).create( G10MinaClient.CONNECTED, new G10MinaClient(processor)); IoHandler ioHandler = new StateMachineProxyBuilder().setStateContextLookup( new IoSessionStateContextLookup(new StateContextFactory() { @Override public StateContext create() { final G10StateContext stateContext = new G10StateContext(); stateContext.setStartedTime(new Date()); return stateContext; } })).create(IoHandler.class, stateMachine); NioSocketConnector connector = new NioSocketConnector(); connector.getFilterChain().addLast("LoggingFilter", G10CaptureService.loggingFilter); connector.getFilterChain().addLast("codecFilter", G10CaptureService.probeCodecFilter); connector.getFilterChain().addLast("executorFilter", G10CaptureService.executorFilter); connector.getFilterChain().addLast("gpbMessageFilter", G10CaptureService.gpbMessageFilter); connector.getFilterChain().addLast("keepAliveFilter", G10CaptureService.keepAliveFilter); connector.setHandler(ioHandler); ConnectFuture primaryConnectFuture = connector.connect(primaryAddress, initializer); if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT)) //MINA_CLOSE_TIMEOUT is 40 seconds { if (handleIOException(searchExpression, captureHandler)) {
Fwd: migration from apache mina 2.0.21 to 2.0.23 issue
Thanks Emmanuel for the quick response.I have few more questions on the upgrade.Please do the needful. If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps do i need to follow ? Is it just a jar file change in the classpath or do i need to do any more changes ? Also we are also using https for communication ? in this case what all changes are needed ? I have seen there is a change the way we pass the SNI host name in 2.0.21 vs 2.2.1 ? First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ? will the state machine work without doing any changes ? Regards, -- M.V.S.Kishore On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny wrote: > Hi, > > Mina 2.0 branch is pretty old (5 years) and we have made significant > changes in the 2.1 and more important the 2.2 branches. You should > seriously consider migrating to 2.2. That being said: > > - 40 seconds to do whatever that was taking a few milliseconds snounds > like a major regression, aka bug. > - If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes > little sense. The CVE only impacts the HTTP decoder. In other words, if > it's working, don't break it... > - We don't have enough context to tell you what could go wrong in your > code. If you provide some piece of code we can run, we can investigate, > otherwise it's like shouting in the dark... Typically, we have no clue > about what the gpbMessageFilter does. > > On 10/04/2023 13:37, Kishore Mokkarala wrote: > > Hi, > > There was a security vulnerability in mina 2.0.21,So we were migrated > > from apache mina 2.0.21 to 2.0.23,locally in the dev environment > everything > > looks good, but in production we are facing connection timeout issue with > > the mina version 2.0.23. > > For connection set up it was taking 10-20 milliseconds (less than a > second) > > with the old version (2.0.21). > > With the new version even after 40 seconds connection was timed out. > > > > We use the same NioSocketConnector instance for opening 100 > > parallel connections. > > > > *Question:* > > *My query is why it is taking more time more than 40 seconds for opening > > the socket with the new version ?* > > > > We are not using https communication. > > > > *Could you please suggest a work around.* > > > > What's happening in the below code is mina is time out after 40 seconds > and > > also IO session has been created using state machine in separate > > threads,both are running in two parallel threads,This issue is not seen > > with the mina 2.0.21 version. > > > > *Here is the code snippet.* > > > > private static final ExecutorFilter executorFilter = new > > ExecutorFilter(16,32); > > > > StateMachine stateMachine = > > StateMachineFactory.getInstance(IoHandlerTransition.class).create( > > G10MinaClient.CONNECTED, new G10MinaClient(processor)); > > > > IoHandler ioHandler = new > > StateMachineProxyBuilder().setStateContextLookup( > > new IoSessionStateContextLookup(new > StateContextFactory() { > > @Override > > public StateContext create() { > > final G10StateContext stateContext = new > > G10StateContext(); > > stateContext.setStartedTime(new Date()); > > return stateContext; > > } > > })).create(IoHandler.class, stateMachine); > > > > NioSocketConnector connector = new NioSocketConnector(); > > connector.getFilterChain().addLast("LoggingFilter", > > G10CaptureService.loggingFilter); > > connector.getFilterChain().addLast("codecFilter", > > G10CaptureService.probeCodecFilter); > > connector.getFilterChain().addLast("executorFilter", > > G10CaptureService.executorFilter); > > connector.getFilterChain().addLast("gpbMessageFilter", > > G10CaptureService.gpbMessageFilter); > > connector.getFilterChain().addLast("keepAliveFilter", > > G10CaptureService.keepAliveFilter); > > connector.setHandler(ioHandler); > > ConnectFuture primaryConnectFuture = connector.connect(primaryAddress, > > initializer); > > if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT)) > > //MINA_CLOSE_TIMEOUT is 40 seconds > > { > > > > if (handleIOException(searchExpression, > > captureHandler)) { > > return; > > } > > LOG.info("{} Apache mina connection setup time out > > happend.", > > handleConnectionFailed(primaryAddress, > captureHandler, > > "Primary IP connection timeout"); > > return; > > } > > > > Regards, > > M.V.S.Kishore > > 91-9886412814 > > > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ > >