Thank you all for the help.Here is my SSL implementation for making it work
with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
public class CustomSslFilter {
public CustomSslFilter(SSLContext sslContext) {
super(sslContext);
}
//Override CreateEngine
protected SSLEngine createEngine(IoSession session, InetSocketAddress
addr) {
//Add your SNI host name and port in the IOSession
SNIHostNames = (String)session.getAttribute( SNIHostNames );
PortNumber = (String)session.getAttribute( PortNumber );
InetSocketAddress peer =
InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
SSLEngine sslEngine = (addr != null) ?
sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
: sslContext.createSSLEngine();
// Always start with WANT, which will be squashed by NEED if NEED is
true.
// Actually, it makes not a lot of sense to select NEED and WANT.
NEED >> WANT...
if (wantClientAuth) {
sslEngine.setWantClientAuth(true);
}
if (needClientAuth) {
sslEngine.setNeedClientAuth(true);
}
if (enabledCipherSuites != null) {
sslEngine.setEnabledCipherSuites(enabledCipherSuites);
}
if (enabledProtocols != null) {
sslEngine.setEnabledProtocols(enabledProtocols);
}
sslEngine.setUseClientMode(!session.isServer());
return sslEngine;
}
}
IoSessionInitializer<ConnectFuture> initializer = new
IoSessionInitializer<ConnectFuture>() {
@Override
public void initializeSession(IoSession session, ConnectFuture
future) {
session.setAttribute( SNIHostNames , "example.com");
session.setAttribute( PortNumber , 8443);
}
};
try {
NioSocketConnector connector = getConnector();
ioSession = connector.connect(address,
initializer).awaitUninterruptibly().getSession();
} catch (RuntimeIoException eio) {
initializationException = eio;
}
------------------------------------------
M.V.S.Kishore
91-9886412814
On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <john...@apache.org> wrote:
> Looking at the code for your existing filter it appears like you’re just
> trying to create the SSLEngine so it can be reused for subsequent
> connections by passing in the IP address and Port?
>
> This is already a feature in the new filter.
>
> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
>
> If you want to perform any customization during the SSL Engine setup, just
> override createEngine
>
>
> On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <kishore....@gmail.com>
> wrote:
>
> > Currently we are using the following custom SSL filter for passing SNI
> host
> > name. For doing this we are using PEER_ADDRESS.
> > This was available in apache mina 2.0.21 SslHandler.java,but this
> attribute
> > is not available in 2.2.10.
> > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address
> to
> > which it connects ,but this information is needed for the destination
> > server.
> >
> > *Existing implementation : *
> >
> > SslFilter sslFilter;
> > try {
> > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> > * sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
> > in overridden onPreAdd*.
> > sslFilter.setUseClientMode(true);
> > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > } catch (Exception e) {
> > e.printStackTrace();
> > LOG.error("Exception during creating SSL context..." +
> > XError.getStackTrace(e));
> > }
> > connector.setHandler(ioHandler);
> >
> > *CustomSslFilter.java:*
> >
> > public class CustomSslFilter extends SslFilter
> > {
> >
> > public CustomSslFilter(SSLContext sslContext) {
> > super(sslContext, true);
> > }
> >
> > @Override
> > public void onPreAdd(IoFilterChain parent, String name,
> > NextFilter nextFilter) throws SSLException {
> > // Check that we don't have a SSL filter already present in the
> > chain
> > if (parent.contains(SslFilter.class)) {
> > String msg = "Only one SSL filter is permitted in a chain.";
> > LOGGER.error(msg);
> > throw new IllegalStateException(msg);
> > }
> > IoSession session = parent.getSession();
> > Provider provider =
> > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> > InetSocketAddress probeAddress =
> > InetSocketAddress.createUnresolved(
> > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> > session.setAttribute(PEER_ADDRESS, probeAddress);
> > super.onPreAdd(parent, name, nextFilter);
> > }
> > }
> >
> > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
> did
> > but it is not working.Please do the needful.
> > *Question:*
> > How to pass this sni host name for creating SSLEngine?
> >
> > *Here is the new implementation changed as per new Mina 2.2.10 API:*
> > try{
> > sslContext = javax.net.ssl.SSLContext.getDefault();
> > SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> > List<SNIServerName> sniHostNames = new ArrayList<>();
> > sniHostNames.add(sniHostName);
> > SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> > sslParams.setServerNames(sniHostNames);
> > sslFilter = new SslFilter(sslContext);
> > //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
> > commented.
> > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > } catch (Exception e) {
> > e.printStackTrace();
> > LOG.error("Exception during creating SSL context..." +
> > XError.getStackTrace(e));
> > }
> > connector.setHandler(ioHandler);
> >
> > Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code
> :
> >
> > /* no qualifier */void init() throws SSLException {
> > if (sslEngine != null) {
> > // We already have a SSL engine created, no need to create a
> > new one
> > return;
> > }
> > if (LOGGER.isDebugEnabled()) {
> > LOGGER.debug("{} Initializing the SSL Handler",
> > sslFilter.getSessionInfo(session));
> > }
> > InetSocketAddress peer = (InetSocketAddress)
> > session.getAttribute(SslFilter.PEER_ADDRESS);
> > // Create the SSL engine here
> > if (peer == null) {
> > sslEngine = sslFilter.sslContext.createSSLEngine();
> > } else {
> > sslEngine =
> > sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
> > }
> > // Initialize the engine in client mode if necessary
> > sslEngine.setUseClientMode(sslFilter.isUseClientMode());
> >
> >
> > Regards,
> > ------------------------------------------
> > M.V.S.Kishore
> > 91-9886412814
> >
> >
> > On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <elecha...@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > > > Thanks Emmanuel for the quick response.I have few more questions on
> > the
> > > > upgrade.Please do the needful.
> > > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> > steps
> > > > do i need to follow ?
> > >
> > > There are two pages that explains the diffence between 2.0 and 2.1, and
> > > 2. and 2.2:
> > > * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> > > * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> > >
> > > The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> > > session. It's pretty trivial.
> > >
> > > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
> using
> > > startTLS.
> > >
> > > Otherwise, it's pretty straightforward.
> > >
> > > ALso note that teh SSL handler has been completeley reworked in 2.2.
> > >
> > > > Is it just a jar file change in the classpath or do i need to do
> any
> > > more
> > > > changes ?
> > >
> > > It should be just about changing the jar.
> > >
> > >
> > > > Also we are also using https for communication ? in this case what
> all
> > > > changes are needed ?
> > >
> > > Nothing, AFAICT.
> > >
> > > > I have seen there is a change the way we pass the SNI host name in
> > 2.0.21
> > > > vs 2.2.1 ?
> > >
> > > Hmmm, not that I remeber. Do you have any pointer?
> > >
> > > > First of all is it recommended to migrate from 2.0.21 to mina 2.2.1
> ?
> > >
> > > Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> > > branch is clearly the one we maintain.
> > >
> > > > will the state machine work without doing any changes ?
> > >
> > > It should not have changed.
> > >
> > > Hope it helps.
> > >
> > > >
> > > > Regards,
> > > > ------------------------------------------
> > > > M.V.S.Kishore
> > > >
> > > >
> > > > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <elecha...@gmail.com
> >
> > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Mina 2.0 branch is pretty old (5 years) and we have made significant
> > > >> changes in the 2.1 and more important the 2.2 branches. You should
> > > >> seriously consider migrating to 2.2. That being said:
> > > >>
> > > >> - 40 seconds to do whatever that was taking a few milliseconds
> snounds
> > > >> like a major regression, aka bug.
> > > >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> > makes
> > > >> little sense. The CVE only impacts the HTTP decoder. In other words,
> > if
> > > >> it's working, don't break it...
> > > >> - We don't have enough context to tell you what could go wrong in
> your
> > > >> code. If you provide some piece of code we can run, we can
> > investigate,
> > > >> otherwise it's like shouting in the dark... Typically, we have no
> clue
> > > >> about what the gpbMessageFilter does.
> > > >>
> > > >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> > > >>> Hi,
> > > >>> There was a security vulnerability in mina 2.0.21,So we were
> migrated
> > > >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> > > >> everything
> > > >>> looks good, but in production we are facing connection timeout
> issue
> > > with
> > > >>> the mina version 2.0.23.
> > > >>> For connection set up it was taking 10-20 milliseconds (less than a
> > > >> second)
> > > >>> with the old version (2.0.21).
> > > >>> With the new version even after 40 seconds connection was timed
> out.
> > > >>>
> > > >>> We use the same NioSocketConnector instance for opening 100
> > > >>> parallel connections.
> > > >>>
> > > >>> *Question:*
> > > >>> *My query is why it is taking more time more than 40 seconds for
> > > opening
> > > >>> the socket with the new version ?*
> > > >>>
> > > >>> We are not using https communication.
> > > >>>
> > > >>> *Could you please suggest a work around.*
> > > >>>
> > > >>> What's happening in the below code is mina is time out after 40
> > seconds
> > > >> and
> > > >>> also IO session has been created using state machine in separate
> > > >>> threads,both are running in two parallel threads,This issue is not
> > seen
> > > >>> with the mina 2.0.21 version.
> > > >>>
> > > >>> *Here is the code snippet.*
> > > >>>
> > > >>> private static final ExecutorFilter executorFilter = new
> > > >>> ExecutorFilter(16,32);
> > > >>>
> > > >>> StateMachine stateMachine =
> > > >>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> > > >>> G10MinaClient.CONNECTED, new
> > > G10MinaClient(processor));
> > > >>>
> > > >>> IoHandler ioHandler = new
> > > >>> StateMachineProxyBuilder().setStateContextLookup(
> > > >>> new IoSessionStateContextLookup(new
> > > >> StateContextFactory() {
> > > >>> @Override
> > > >>> public StateContext create() {
> > > >>> final G10StateContext stateContext = new
> > > >>> G10StateContext();
> > > >>> stateContext.setStartedTime(new Date());
> > > >>> return stateContext;
> > > >>> }
> > > >>> })).create(IoHandler.class, stateMachine);
> > > >>>
> > > >>> NioSocketConnector connector = new NioSocketConnector();
> > > >>> connector.getFilterChain().addLast("LoggingFilter",
> > > >>> G10CaptureService.loggingFilter);
> > > >>> connector.getFilterChain().addLast("codecFilter",
> > > >>> G10CaptureService.probeCodecFilter);
> > > >>> connector.getFilterChain().addLast("executorFilter",
> > > >>> G10CaptureService.executorFilter);
> > > >>> connector.getFilterChain().addLast("gpbMessageFilter",
> > > >>> G10CaptureService.gpbMessageFilter);
> > > >>> connector.getFilterChain().addLast("keepAliveFilter",
> > > >>> G10CaptureService.keepAliveFilter);
> > > >>> connector.setHandler(ioHandler);
> > > >>> ConnectFuture primaryConnectFuture =
> > connector.connect(primaryAddress,
> > > >>> initializer);
> > > >>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> > > >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> > > >>> {
> > > >>>
> > > >>> if (handleIOException(searchExpression,
> > > >>> captureHandler)) {
> > > >>> return;
> > > >>> }
> > > >>> LOG.info("{} Apache mina connection setup
> time
> > > out
> > > >>> happend.",
> > > >>> handleConnectionFailed(primaryAddress,
> > > >> captureHandler,
> > > >>> "Primary IP connection timeout");
> > > >>> return;
> > > >>> }
> > > >>>
> > > >>> Regards,
> > > >>> M.V.S.Kishore
> > > >>> 91-9886412814
> > > >>>
> > > >>
> > > >> --
> > > >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > >> T. +33 (0)4 89 97 36 50
> > > >> P. +33 (0)6 08 33 32 61
> > > >> emmanuel.lecha...@busit.com https://www.busit.com/
> > > >>
> > > >>
> ---------------------------------------------------------------------
> > > >> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
> > > >> For additional commands, e-mail: users-h...@mina.apache.org
> > > >>
> > > >>
> > > >
> > >
> > > --
> > > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > T. +33 (0)4 89 97 36 50
> > > P. +33 (0)6 08 33 32 61
> > > emmanuel.lecha...@busit.com https://www.busit.com/
> > >
> >
>
