Cool. That was easy. On Mon, Apr 17, 2023 at 11:05 AM Kishore Mokkarala <kishore....@gmail.com> wrote:
> Thank you all for the help.Here is my SSL implementation for making it work > with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine. > > public class CustomSslFilter { > public CustomSslFilter(SSLContext sslContext) { > super(sslContext); > } > //Override CreateEngine > protected SSLEngine createEngine(IoSession session, InetSocketAddress > addr) { > //Add your SNI host name and port in the IOSession > SNIHostNames = (String)session.getAttribute( SNIHostNames ); > PortNumber = (String)session.getAttribute( PortNumber ); > InetSocketAddress peer = > InetSocketAddress.createUnresolved(SNIHostNames,PortNumber); > SSLEngine sslEngine = (addr != null) ? > sslContext.createSSLEngine(peer.getHostString(), peer.getPort()) > : sslContext.createSSLEngine(); > > // Always start with WANT, which will be squashed by NEED if NEED is > true. > // Actually, it makes not a lot of sense to select NEED and WANT. > NEED >> WANT... > if (wantClientAuth) { > sslEngine.setWantClientAuth(true); > } > > if (needClientAuth) { > sslEngine.setNeedClientAuth(true); > } > > if (enabledCipherSuites != null) { > sslEngine.setEnabledCipherSuites(enabledCipherSuites); > } > > if (enabledProtocols != null) { > sslEngine.setEnabledProtocols(enabledProtocols); > } > > sslEngine.setUseClientMode(!session.isServer()); > > return sslEngine; > } > } > > > IoSessionInitializer<ConnectFuture> initializer = new > IoSessionInitializer<ConnectFuture>() { > > @Override > public void initializeSession(IoSession session, ConnectFuture > future) { > > session.setAttribute( SNIHostNames , "example.com"); > session.setAttribute( PortNumber , 8443); > } > }; > > try { > NioSocketConnector connector = getConnector(); > ioSession = connector.connect(address, > initializer).awaitUninterruptibly().getSession(); > } catch (RuntimeIoException eio) { > initializationException = eio; > } > > ------------------------------------------ > M.V.S.Kishore > 91-9886412814 > > > On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <john...@apache.org> > wrote: > > > Looking at the code for your existing filter it appears like you’re just > > trying to create the SSLEngine so it can be reused for subsequent > > connections by passing in the IP address and Port? > > > > This is already a feature in the new filter. > > > > > https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281 > > > > If you want to perform any customization during the SSL Engine setup, > just > > override createEngine > > > > > > On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <kishore....@gmail.com > > > > wrote: > > > > > Currently we are using the following custom SSL filter for passing SNI > > host > > > name. For doing this we are using PEER_ADDRESS. > > > This was available in apache mina 2.0.21 SslHandler.java,but this > > attribute > > > is not available in 2.2.10. > > > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP > address > > to > > > which it connects ,but this information is needed for the destination > > > server. > > > > > > *Existing implementation : * > > > > > > SslFilter sslFilter; > > > try { > > > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault(); > > > * sslFilter = new CustomSslFilter(sslContext); //passing * > *PEER_ADDRESS > > > in overridden onPreAdd*. > > > sslFilter.setUseClientMode(true); > > > connector.getFilterChain().addFirst("sslFilter", sslFilter); > > > } catch (Exception e) { > > > e.printStackTrace(); > > > LOG.error("Exception during creating SSL context..." + > > > XError.getStackTrace(e)); > > > } > > > connector.setHandler(ioHandler); > > > > > > *CustomSslFilter.java:* > > > > > > public class CustomSslFilter extends SslFilter > > > { > > > > > > public CustomSslFilter(SSLContext sslContext) { > > > super(sslContext, true); > > > } > > > > > > @Override > > > public void onPreAdd(IoFilterChain parent, String name, > > > NextFilter nextFilter) throws SSLException { > > > // Check that we don't have a SSL filter already present in the > > > chain > > > if (parent.contains(SslFilter.class)) { > > > String msg = "Only one SSL filter is permitted in a > chain."; > > > LOGGER.error(msg); > > > throw new IllegalStateException(msg); > > > } > > > IoSession session = parent.getSession(); > > > Provider provider = > > > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY); > > > InetSocketAddress probeAddress = > > > InetSocketAddress.createUnresolved( > > > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber())); > > > session.setAttribute(PEER_ADDRESS, probeAddress); > > > super.onPreAdd(parent, name, nextFilter); > > > } > > > } > > > > > > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I > > did > > > but it is not working.Please do the needful. > > > *Question:* > > > How to pass this sni host name for creating SSLEngine? > > > > > > *Here is the new implementation changed as per new Mina 2.2.10 API:* > > > try{ > > > sslContext = javax.net.ssl.SSLContext.getDefault(); > > > SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*"); > > > List<SNIServerName> sniHostNames = new ArrayList<>(); > > > sniHostNames.add(sniHostName); > > > SSLParameters sslParams = sslContext.getDefaultSSLParameters(); > > > sslParams.setServerNames(sniHostNames); > > > sslFilter = new SslFilter(sslContext); > > > //sslFilter.setUseClientMode(true); //This is not required in 2.2.1 > hence > > > commented. > > > connector.getFilterChain().addFirst("sslFilter", sslFilter); > > > } catch (Exception e) { > > > e.printStackTrace(); > > > LOG.error("Exception during creating SSL context..." + > > > XError.getStackTrace(e)); > > > } > > > connector.setHandler(ioHandler); > > > > > > Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java > code > > : > > > > > > /* no qualifier */void init() throws SSLException { > > > if (sslEngine != null) { > > > // We already have a SSL engine created, no need to create > a > > > new one > > > return; > > > } > > > if (LOGGER.isDebugEnabled()) { > > > LOGGER.debug("{} Initializing the SSL Handler", > > > sslFilter.getSessionInfo(session)); > > > } > > > InetSocketAddress peer = (InetSocketAddress) > > > session.getAttribute(SslFilter.PEER_ADDRESS); > > > // Create the SSL engine here > > > if (peer == null) { > > > sslEngine = sslFilter.sslContext.createSSLEngine(); > > > } else { > > > sslEngine = > > > sslFilter.sslContext.createSSLEngine(peer.getHostName(), > peer.getPort()); > > > } > > > // Initialize the engine in client mode if necessary > > > sslEngine.setUseClientMode(sslFilter.isUseClientMode()); > > > > > > > > > Regards, > > > ------------------------------------------ > > > M.V.S.Kishore > > > 91-9886412814 > > > > > > > > > On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <elecha...@gmail.com> > > > wrote: > > > > > > > Hi, > > > > > > > > On 12/04/2023 18:00, Kishore Mokkarala wrote: > > > > > Thanks Emmanuel for the quick response.I have few more questions > on > > > the > > > > > upgrade.Please do the needful. > > > > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all > > > steps > > > > > do i need to follow ? > > > > > > > > There are two pages that explains the diffence between 2.0 and 2.1, > and > > > > 2. and 2.2: > > > > * https://mina.apache.org/mina-project/2.1-vs-2.0.html > > > > * https://mina.apache.org/mina-project/2.2-vs-2.1.html > > > > > > > > The 2.1 vs 2.0 difference is mainly about the way we detect a secured > > > > session. It's pretty trivial. > > > > > > > > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were > > using > > > > startTLS. > > > > > > > > Otherwise, it's pretty straightforward. > > > > > > > > ALso note that teh SSL handler has been completeley reworked in 2.2. > > > > > > > > > Is it just a jar file change in the classpath or do i need to do > > any > > > > more > > > > > changes ? > > > > > > > > It should be just about changing the jar. > > > > > > > > > > > > > Also we are also using https for communication ? in this case what > > all > > > > > changes are needed ? > > > > > > > > Nothing, AFAICT. > > > > > > > > > I have seen there is a change the way we pass the SNI host name in > > > 2.0.21 > > > > > vs 2.2.1 ? > > > > > > > > Hmmm, not that I remeber. Do you have any pointer? > > > > > > > > > First of all is it recommended to migrate from 2.0.21 to mina > 2.2.1 > > ? > > > > > > > > Oh yes! Simply because the SSL rewrite was necessary, also because > 2.2 > > > > branch is clearly the one we maintain. > > > > > > > > > will the state machine work without doing any changes ? > > > > > > > > It should not have changed. > > > > > > > > Hope it helps. > > > > > > > > > > > > > > Regards, > > > > > ------------------------------------------ > > > > > M.V.S.Kishore > > > > > > > > > > > > > > > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny < > elecha...@gmail.com > > > > > > > wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> Mina 2.0 branch is pretty old (5 years) and we have made > significant > > > > >> changes in the 2.1 and more important the 2.2 branches. You should > > > > >> seriously consider migrating to 2.2. That being said: > > > > >> > > > > >> - 40 seconds to do whatever that was taking a few milliseconds > > snounds > > > > >> like a major regression, aka bug. > > > > >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23 > > > makes > > > > >> little sense. The CVE only impacts the HTTP decoder. In other > words, > > > if > > > > >> it's working, don't break it... > > > > >> - We don't have enough context to tell you what could go wrong in > > your > > > > >> code. If you provide some piece of code we can run, we can > > > investigate, > > > > >> otherwise it's like shouting in the dark... Typically, we have no > > clue > > > > >> about what the gpbMessageFilter does. > > > > >> > > > > >> On 10/04/2023 13:37, Kishore Mokkarala wrote: > > > > >>> Hi, > > > > >>> There was a security vulnerability in mina 2.0.21,So we were > > migrated > > > > >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment > > > > >> everything > > > > >>> looks good, but in production we are facing connection timeout > > issue > > > > with > > > > >>> the mina version 2.0.23. > > > > >>> For connection set up it was taking 10-20 milliseconds (less > than a > > > > >> second) > > > > >>> with the old version (2.0.21). > > > > >>> With the new version even after 40 seconds connection was timed > > out. > > > > >>> > > > > >>> We use the same NioSocketConnector instance for opening 100 > > > > >>> parallel connections. > > > > >>> > > > > >>> *Question:* > > > > >>> *My query is why it is taking more time more than 40 seconds for > > > > opening > > > > >>> the socket with the new version ?* > > > > >>> > > > > >>> We are not using https communication. > > > > >>> > > > > >>> *Could you please suggest a work around.* > > > > >>> > > > > >>> What's happening in the below code is mina is time out after 40 > > > seconds > > > > >> and > > > > >>> also IO session has been created using state machine in separate > > > > >>> threads,both are running in two parallel threads,This issue is > not > > > seen > > > > >>> with the mina 2.0.21 version. > > > > >>> > > > > >>> *Here is the code snippet.* > > > > >>> > > > > >>> private static final ExecutorFilter executorFilter = new > > > > >>> ExecutorFilter(16,32); > > > > >>> > > > > >>> StateMachine stateMachine = > > > > >>> > StateMachineFactory.getInstance(IoHandlerTransition.class).create( > > > > >>> G10MinaClient.CONNECTED, new > > > > G10MinaClient(processor)); > > > > >>> > > > > >>> IoHandler ioHandler = new > > > > >>> StateMachineProxyBuilder().setStateContextLookup( > > > > >>> new IoSessionStateContextLookup(new > > > > >> StateContextFactory() { > > > > >>> @Override > > > > >>> public StateContext create() { > > > > >>> final G10StateContext stateContext = > new > > > > >>> G10StateContext(); > > > > >>> stateContext.setStartedTime(new > Date()); > > > > >>> return stateContext; > > > > >>> } > > > > >>> })).create(IoHandler.class, stateMachine); > > > > >>> > > > > >>> NioSocketConnector connector = new NioSocketConnector(); > > > > >>> connector.getFilterChain().addLast("LoggingFilter", > > > > >>> G10CaptureService.loggingFilter); > > > > >>> connector.getFilterChain().addLast("codecFilter", > > > > >>> G10CaptureService.probeCodecFilter); > > > > >>> connector.getFilterChain().addLast("executorFilter", > > > > >>> G10CaptureService.executorFilter); > > > > >>> connector.getFilterChain().addLast("gpbMessageFilter", > > > > >>> G10CaptureService.gpbMessageFilter); > > > > >>> connector.getFilterChain().addLast("keepAliveFilter", > > > > >>> G10CaptureService.keepAliveFilter); > > > > >>> connector.setHandler(ioHandler); > > > > >>> ConnectFuture primaryConnectFuture = > > > connector.connect(primaryAddress, > > > > >>> initializer); > > > > >>> if > (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT)) > > > > >>> //MINA_CLOSE_TIMEOUT is 40 seconds > > > > >>> { > > > > >>> > > > > >>> if (handleIOException(searchExpression, > > > > >>> captureHandler)) { > > > > >>> return; > > > > >>> } > > > > >>> LOG.info("{} Apache mina connection setup > > time > > > > out > > > > >>> happend.", > > > > >>> handleConnectionFailed(primaryAddress, > > > > >> captureHandler, > > > > >>> "Primary IP connection timeout"); > > > > >>> return; > > > > >>> } > > > > >>> > > > > >>> Regards, > > > > >>> M.V.S.Kishore > > > > >>> 91-9886412814 > > > > >>> > > > > >> > > > > >> -- > > > > >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > > > > >> T. +33 (0)4 89 97 36 50 > > > > >> P. +33 (0)6 08 33 32 61 > > > > >> emmanuel.lecha...@busit.com https://www.busit.com/ > > > > >> > > > > >> > > --------------------------------------------------------------------- > > > > >> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org > > > > >> For additional commands, e-mail: users-h...@mina.apache.org > > > > >> > > > > >> > > > > > > > > > > > > > -- > > > > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > > > > T. +33 (0)4 89 97 36 50 > > > > P. +33 (0)6 08 33 32 61 > > > > emmanuel.lecha...@busit.com https://www.busit.com/ > > > > > > > > > >