Currently we are using the following custom SSL filter for passing SNI host
name. For doing this we are using PEER_ADDRESS.
This was available in apache mina 2.0.21 SslHandler.java,but this attribute
is not available in 2.2.10.
This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address to
which it connects ,but this information is needed for the destination
server.
*Existing implementation : *
SslFilter sslFilter;
try {
SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
* sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
in overridden onPreAdd*.
sslFilter.setUseClientMode(true);
connector.getFilterChain().addFirst("sslFilter", sslFilter);
} catch (Exception e) {
e.printStackTrace();
LOG.error("Exception during creating SSL context..." +
XError.getStackTrace(e));
}
connector.setHandler(ioHandler);
*CustomSslFilter.java:*
public class CustomSslFilter extends SslFilter
{
public CustomSslFilter(SSLContext sslContext) {
super(sslContext, true);
}
@Override
public void onPreAdd(IoFilterChain parent, String name,
NextFilter nextFilter) throws SSLException {
// Check that we don't have a SSL filter already present in the
chain
if (parent.contains(SslFilter.class)) {
String msg = "Only one SSL filter is permitted in a chain.";
LOGGER.error(msg);
throw new IllegalStateException(msg);
}
IoSession session = parent.getSession();
Provider provider =
(Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
InetSocketAddress probeAddress = InetSocketAddress.createUnresolved(
*eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
session.setAttribute(PEER_ADDRESS, probeAddress);
super.onPreAdd(parent, name, nextFilter);
}
}
We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I did
but it is not working.Please do the needful.
*Question:*
How to pass this sni host name for creating SSLEngine?
*Here is the new implementation changed as per new Mina 2.2.10 API:*
try{
sslContext = javax.net.ssl.SSLContext.getDefault();
SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
List<SNIServerName> sniHostNames = new ArrayList<>();
sniHostNames.add(sniHostName);
SSLParameters sslParams = sslContext.getDefaultSSLParameters();
sslParams.setServerNames(sniHostNames);
sslFilter = new SslFilter(sslContext);
//sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
commented.
connector.getFilterChain().addFirst("sslFilter", sslFilter);
} catch (Exception e) {
e.printStackTrace();
LOG.error("Exception during creating SSL context..." +
XError.getStackTrace(e));
}
connector.setHandler(ioHandler);
Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code :
/* no qualifier */void init() throws SSLException {
if (sslEngine != null) {
// We already have a SSL engine created, no need to create a
new one
return;
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("{} Initializing the SSL Handler",
sslFilter.getSessionInfo(session));
}
InetSocketAddress peer = (InetSocketAddress)
session.getAttribute(SslFilter.PEER_ADDRESS);
// Create the SSL engine here
if (peer == null) {
sslEngine = sslFilter.sslContext.createSSLEngine();
} else {
sslEngine =
sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
}
// Initialize the engine in client mode if necessary
sslEngine.setUseClientMode(sslFilter.isUseClientMode());
Regards,
------------------------------------------
M.V.S.Kishore
91-9886412814
On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <[email protected]> wrote:
> Hi,
>
> On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > Thanks Emmanuel for the quick response.I have few more questions on the
> > upgrade.Please do the needful.
> > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all steps
> > do i need to follow ?
>
> There are two pages that explains the diffence between 2.0 and 2.1, and
> 2. and 2.2:
> * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> * https://mina.apache.org/mina-project/2.2-vs-2.1.html
>
> The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> session. It's pretty trivial.
>
> The 2.2. vs 2.1 migration is a bit more complicated, *if* you were using
> startTLS.
>
> Otherwise, it's pretty straightforward.
>
> ALso note that teh SSL handler has been completeley reworked in 2.2.
>
> > Is it just a jar file change in the classpath or do i need to do any
> more
> > changes ?
>
> It should be just about changing the jar.
>
>
> > Also we are also using https for communication ? in this case what all
> > changes are needed ?
>
> Nothing, AFAICT.
>
> > I have seen there is a change the way we pass the SNI host name in 2.0.21
> > vs 2.2.1 ?
>
> Hmmm, not that I remeber. Do you have any pointer?
>
> > First of all is it recommended to migrate from 2.0.21 to mina 2.2.1 ?
>
> Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> branch is clearly the one we maintain.
>
> > will the state machine work without doing any changes ?
>
> It should not have changed.
>
> Hope it helps.
>
> >
> > Regards,
> > ------------------------------------------
> > M.V.S.Kishore
> >
> >
> > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <[email protected]>
> wrote:
> >
> >> Hi,
> >>
> >> Mina 2.0 branch is pretty old (5 years) and we have made significant
> >> changes in the 2.1 and more important the 2.2 branches. You should
> >> seriously consider migrating to 2.2. That being said:
> >>
> >> - 40 seconds to do whatever that was taking a few milliseconds snounds
> >> like a major regression, aka bug.
> >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23 makes
> >> little sense. The CVE only impacts the HTTP decoder. In other words, if
> >> it's working, don't break it...
> >> - We don't have enough context to tell you what could go wrong in your
> >> code. If you provide some piece of code we can run, we can investigate,
> >> otherwise it's like shouting in the dark... Typically, we have no clue
> >> about what the gpbMessageFilter does.
> >>
> >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> >>> Hi,
> >>> There was a security vulnerability in mina 2.0.21,So we were migrated
> >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> >> everything
> >>> looks good, but in production we are facing connection timeout issue
> with
> >>> the mina version 2.0.23.
> >>> For connection set up it was taking 10-20 milliseconds (less than a
> >> second)
> >>> with the old version (2.0.21).
> >>> With the new version even after 40 seconds connection was timed out.
> >>>
> >>> We use the same NioSocketConnector instance for opening 100
> >>> parallel connections.
> >>>
> >>> *Question:*
> >>> *My query is why it is taking more time more than 40 seconds for
> opening
> >>> the socket with the new version ?*
> >>>
> >>> We are not using https communication.
> >>>
> >>> *Could you please suggest a work around.*
> >>>
> >>> What's happening in the below code is mina is time out after 40 seconds
> >> and
> >>> also IO session has been created using state machine in separate
> >>> threads,both are running in two parallel threads,This issue is not seen
> >>> with the mina 2.0.21 version.
> >>>
> >>> *Here is the code snippet.*
> >>>
> >>> private static final ExecutorFilter executorFilter = new
> >>> ExecutorFilter(16,32);
> >>>
> >>> StateMachine stateMachine =
> >>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> >>> G10MinaClient.CONNECTED, new
> G10MinaClient(processor));
> >>>
> >>> IoHandler ioHandler = new
> >>> StateMachineProxyBuilder().setStateContextLookup(
> >>> new IoSessionStateContextLookup(new
> >> StateContextFactory() {
> >>> @Override
> >>> public StateContext create() {
> >>> final G10StateContext stateContext = new
> >>> G10StateContext();
> >>> stateContext.setStartedTime(new Date());
> >>> return stateContext;
> >>> }
> >>> })).create(IoHandler.class, stateMachine);
> >>>
> >>> NioSocketConnector connector = new NioSocketConnector();
> >>> connector.getFilterChain().addLast("LoggingFilter",
> >>> G10CaptureService.loggingFilter);
> >>> connector.getFilterChain().addLast("codecFilter",
> >>> G10CaptureService.probeCodecFilter);
> >>> connector.getFilterChain().addLast("executorFilter",
> >>> G10CaptureService.executorFilter);
> >>> connector.getFilterChain().addLast("gpbMessageFilter",
> >>> G10CaptureService.gpbMessageFilter);
> >>> connector.getFilterChain().addLast("keepAliveFilter",
> >>> G10CaptureService.keepAliveFilter);
> >>> connector.setHandler(ioHandler);
> >>> ConnectFuture primaryConnectFuture = connector.connect(primaryAddress,
> >>> initializer);
> >>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> >>> {
> >>>
> >>> if (handleIOException(searchExpression,
> >>> captureHandler)) {
> >>> return;
> >>> }
> >>> LOG.info("{} Apache mina connection setup time
> out
> >>> happend.",
> >>> handleConnectionFailed(primaryAddress,
> >> captureHandler,
> >>> "Primary IP connection timeout");
> >>> return;
> >>> }
> >>>
> >>> Regards,
> >>> M.V.S.Kishore
> >>> 91-9886412814
> >>>
> >>
> >> --
> >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> >> T. +33 (0)4 89 97 36 50
> >> P. +33 (0)6 08 33 32 61
> >> [email protected] https://www.busit.com/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [email protected]
> >> For additional commands, e-mail: [email protected]
> >>
> >>
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> [email protected] https://www.busit.com/
>
