Cool. That was easy.
On Mon, Apr 17, 2023 at 11:05 AM Kishore Mokkarala <kishore....@gmail.com>
wrote:
> Thank you all for the help.Here is my SSL implementation for making it work
> with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
>
> public class CustomSslFilter {
> public CustomSslFilter(SSLContext sslContext) {
> super(sslContext);
> }
> //Override CreateEngine
> protected SSLEngine createEngine(IoSession session, InetSocketAddress
> addr) {
> //Add your SNI host name and port in the IOSession
> SNIHostNames = (String)session.getAttribute( SNIHostNames );
> PortNumber = (String)session.getAttribute( PortNumber );
> InetSocketAddress peer =
> InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
> SSLEngine sslEngine = (addr != null) ?
> sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
> : sslContext.createSSLEngine();
>
> // Always start with WANT, which will be squashed by NEED if NEED is
> true.
> // Actually, it makes not a lot of sense to select NEED and WANT.
> NEED >> WANT...
> if (wantClientAuth) {
> sslEngine.setWantClientAuth(true);
> }
>
> if (needClientAuth) {
> sslEngine.setNeedClientAuth(true);
> }
>
> if (enabledCipherSuites != null) {
> sslEngine.setEnabledCipherSuites(enabledCipherSuites);
> }
>
> if (enabledProtocols != null) {
> sslEngine.setEnabledProtocols(enabledProtocols);
> }
>
> sslEngine.setUseClientMode(!session.isServer());
>
> return sslEngine;
> }
> }
>
>
> IoSessionInitializer<ConnectFuture> initializer = new
> IoSessionInitializer<ConnectFuture>() {
>
> @Override
> public void initializeSession(IoSession session, ConnectFuture
> future) {
>
> session.setAttribute( SNIHostNames , "example.com");
> session.setAttribute( PortNumber , 8443);
> }
> };
>
> try {
> NioSocketConnector connector = getConnector();
> ioSession = connector.connect(address,
> initializer).awaitUninterruptibly().getSession();
> } catch (RuntimeIoException eio) {
> initializationException = eio;
> }
>
> ------------------------------------------
> M.V.S.Kishore
> 91-9886412814
>
>
> On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <john...@apache.org>
> wrote:
>
> > Looking at the code for your existing filter it appears like you’re just
> > trying to create the SSLEngine so it can be reused for subsequent
> > connections by passing in the IP address and Port?
> >
> > This is already a feature in the new filter.
> >
> >
> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
> >
> > If you want to perform any customization during the SSL Engine setup,
> just
> > override createEngine
> >
> >
> > On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <kishore....@gmail.com
> >
> > wrote:
> >
> > > Currently we are using the following custom SSL filter for passing SNI
> > host
> > > name. For doing this we are using PEER_ADDRESS.
> > > This was available in apache mina 2.0.21 SslHandler.java,but this
> > attribute
> > > is not available in 2.2.10.
> > > This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP
> address
> > to
> > > which it connects ,but this information is needed for the destination
> > > server.
> > >
> > > *Existing implementation : *
> > >
> > > SslFilter sslFilter;
> > > try {
> > > SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> > > * sslFilter = new CustomSslFilter(sslContext); //passing *
> *PEER_ADDRESS
> > > in overridden onPreAdd*.
> > > sslFilter.setUseClientMode(true);
> > > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > LOG.error("Exception during creating SSL context..." +
> > > XError.getStackTrace(e));
> > > }
> > > connector.setHandler(ioHandler);
> > >
> > > *CustomSslFilter.java:*
> > >
> > > public class CustomSslFilter extends SslFilter
> > > {
> > >
> > > public CustomSslFilter(SSLContext sslContext) {
> > > super(sslContext, true);
> > > }
> > >
> > > @Override
> > > public void onPreAdd(IoFilterChain parent, String name,
> > > NextFilter nextFilter) throws SSLException {
> > > // Check that we don't have a SSL filter already present in the
> > > chain
> > > if (parent.contains(SslFilter.class)) {
> > > String msg = "Only one SSL filter is permitted in a
> chain.";
> > > LOGGER.error(msg);
> > > throw new IllegalStateException(msg);
> > > }
> > > IoSession session = parent.getSession();
> > > Provider provider =
> > > (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> > > InetSocketAddress probeAddress =
> > > InetSocketAddress.createUnresolved(
> > > *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> > > session.setAttribute(PEER_ADDRESS, probeAddress);
> > > super.onPreAdd(parent, name, nextFilter);
> > > }
> > > }
> > >
> > > We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
> > did
> > > but it is not working.Please do the needful.
> > > *Question:*
> > > How to pass this sni host name for creating SSLEngine?
> > >
> > > *Here is the new implementation changed as per new Mina 2.2.10 API:*
> > > try{
> > > sslContext = javax.net.ssl.SSLContext.getDefault();
> > > SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> > > List<SNIServerName> sniHostNames = new ArrayList<>();
> > > sniHostNames.add(sniHostName);
> > > SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> > > sslParams.setServerNames(sniHostNames);
> > > sslFilter = new SslFilter(sslContext);
> > > //sslFilter.setUseClientMode(true); //This is not required in 2.2.1
> hence
> > > commented.
> > > connector.getFilterChain().addFirst("sslFilter", sslFilter);
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > LOG.error("Exception during creating SSL context..." +
> > > XError.getStackTrace(e));
> > > }
> > > connector.setHandler(ioHandler);
> > >
> > > Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java
> code
> > :
> > >
> > > /* no qualifier */void init() throws SSLException {
> > > if (sslEngine != null) {
> > > // We already have a SSL engine created, no need to create
> a
> > > new one
> > > return;
> > > }
> > > if (LOGGER.isDebugEnabled()) {
> > > LOGGER.debug("{} Initializing the SSL Handler",
> > > sslFilter.getSessionInfo(session));
> > > }
> > > InetSocketAddress peer = (InetSocketAddress)
> > > session.getAttribute(SslFilter.PEER_ADDRESS);
> > > // Create the SSL engine here
> > > if (peer == null) {
> > > sslEngine = sslFilter.sslContext.createSSLEngine();
> > > } else {
> > > sslEngine =
> > > sslFilter.sslContext.createSSLEngine(peer.getHostName(),
> peer.getPort());
> > > }
> > > // Initialize the engine in client mode if necessary
> > > sslEngine.setUseClientMode(sslFilter.isUseClientMode());
> > >
> > >
> > > Regards,
> > > ------------------------------------------
> > > M.V.S.Kishore
> > > 91-9886412814
> > >
> > >
> > > On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <elecha...@gmail.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > On 12/04/2023 18:00, Kishore Mokkarala wrote:
> > > > > Thanks Emmanuel for the quick response.I have few more questions
> on
> > > the
> > > > > upgrade.Please do the needful.
> > > > > If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> > > steps
> > > > > do i need to follow ?
> > > >
> > > > There are two pages that explains the diffence between 2.0 and 2.1,
> and
> > > > 2. and 2.2:
> > > > * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> > > > * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> > > >
> > > > The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> > > > session. It's pretty trivial.
> > > >
> > > > The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
> > using
> > > > startTLS.
> > > >
> > > > Otherwise, it's pretty straightforward.
> > > >
> > > > ALso note that teh SSL handler has been completeley reworked in 2.2.
> > > >
> > > > > Is it just a jar file change in the classpath or do i need to do
> > any
> > > > more
> > > > > changes ?
> > > >
> > > > It should be just about changing the jar.
> > > >
> > > >
> > > > > Also we are also using https for communication ? in this case what
> > all
> > > > > changes are needed ?
> > > >
> > > > Nothing, AFAICT.
> > > >
> > > > > I have seen there is a change the way we pass the SNI host name in
> > > 2.0.21
> > > > > vs 2.2.1 ?
> > > >
> > > > Hmmm, not that I remeber. Do you have any pointer?
> > > >
> > > > > First of all is it recommended to migrate from 2.0.21 to mina
> 2.2.1
> > ?
> > > >
> > > > Oh yes! Simply because the SSL rewrite was necessary, also because
> 2.2
> > > > branch is clearly the one we maintain.
> > > >
> > > > > will the state machine work without doing any changes ?
> > > >
> > > > It should not have changed.
> > > >
> > > > Hope it helps.
> > > >
> > > > >
> > > > > Regards,
> > > > > ------------------------------------------
> > > > > M.V.S.Kishore
> > > > >
> > > > >
> > > > > On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <
> elecha...@gmail.com
> > >
> > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Mina 2.0 branch is pretty old (5 years) and we have made
> significant
> > > > >> changes in the 2.1 and more important the 2.2 branches. You should
> > > > >> seriously consider migrating to 2.2. That being said:
> > > > >>
> > > > >> - 40 seconds to do whatever that was taking a few milliseconds
> > snounds
> > > > >> like a major regression, aka bug.
> > > > >> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> > > makes
> > > > >> little sense. The CVE only impacts the HTTP decoder. In other
> words,
> > > if
> > > > >> it's working, don't break it...
> > > > >> - We don't have enough context to tell you what could go wrong in
> > your
> > > > >> code. If you provide some piece of code we can run, we can
> > > investigate,
> > > > >> otherwise it's like shouting in the dark... Typically, we have no
> > clue
> > > > >> about what the gpbMessageFilter does.
> > > > >>
> > > > >> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> > > > >>> Hi,
> > > > >>> There was a security vulnerability in mina 2.0.21,So we were
> > migrated
> > > > >>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> > > > >> everything
> > > > >>> looks good, but in production we are facing connection timeout
> > issue
> > > > with
> > > > >>> the mina version 2.0.23.
> > > > >>> For connection set up it was taking 10-20 milliseconds (less
> than a
> > > > >> second)
> > > > >>> with the old version (2.0.21).
> > > > >>> With the new version even after 40 seconds connection was timed
> > out.
> > > > >>>
> > > > >>> We use the same NioSocketConnector instance for opening 100
> > > > >>> parallel connections.
> > > > >>>
> > > > >>> *Question:*
> > > > >>> *My query is why it is taking more time more than 40 seconds for
> > > > opening
> > > > >>> the socket with the new version ?*
> > > > >>>
> > > > >>> We are not using https communication.
> > > > >>>
> > > > >>> *Could you please suggest a work around.*
> > > > >>>
> > > > >>> What's happening in the below code is mina is time out after 40
> > > seconds
> > > > >> and
> > > > >>> also IO session has been created using state machine in separate
> > > > >>> threads,both are running in two parallel threads,This issue is
> not
> > > seen
> > > > >>> with the mina 2.0.21 version.
> > > > >>>
> > > > >>> *Here is the code snippet.*
> > > > >>>
> > > > >>> private static final ExecutorFilter executorFilter = new
> > > > >>> ExecutorFilter(16,32);
> > > > >>>
> > > > >>> StateMachine stateMachine =
> > > > >>>
> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> > > > >>> G10MinaClient.CONNECTED, new
> > > > G10MinaClient(processor));
> > > > >>>
> > > > >>> IoHandler ioHandler = new
> > > > >>> StateMachineProxyBuilder().setStateContextLookup(
> > > > >>> new IoSessionStateContextLookup(new
> > > > >> StateContextFactory() {
> > > > >>> @Override
> > > > >>> public StateContext create() {
> > > > >>> final G10StateContext stateContext =
> new
> > > > >>> G10StateContext();
> > > > >>> stateContext.setStartedTime(new
> Date());
> > > > >>> return stateContext;
> > > > >>> }
> > > > >>> })).create(IoHandler.class, stateMachine);
> > > > >>>
> > > > >>> NioSocketConnector connector = new NioSocketConnector();
> > > > >>> connector.getFilterChain().addLast("LoggingFilter",
> > > > >>> G10CaptureService.loggingFilter);
> > > > >>> connector.getFilterChain().addLast("codecFilter",
> > > > >>> G10CaptureService.probeCodecFilter);
> > > > >>> connector.getFilterChain().addLast("executorFilter",
> > > > >>> G10CaptureService.executorFilter);
> > > > >>> connector.getFilterChain().addLast("gpbMessageFilter",
> > > > >>> G10CaptureService.gpbMessageFilter);
> > > > >>> connector.getFilterChain().addLast("keepAliveFilter",
> > > > >>> G10CaptureService.keepAliveFilter);
> > > > >>> connector.setHandler(ioHandler);
> > > > >>> ConnectFuture primaryConnectFuture =
> > > connector.connect(primaryAddress,
> > > > >>> initializer);
> > > > >>> if
> (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> > > > >>> //MINA_CLOSE_TIMEOUT is 40 seconds
> > > > >>> {
> > > > >>>
> > > > >>> if (handleIOException(searchExpression,
> > > > >>> captureHandler)) {
> > > > >>> return;
> > > > >>> }
> > > > >>> LOG.info("{} Apache mina connection setup
> > time
> > > > out
> > > > >>> happend.",
> > > > >>> handleConnectionFailed(primaryAddress,
> > > > >> captureHandler,
> > > > >>> "Primary IP connection timeout");
> > > > >>> return;
> > > > >>> }
> > > > >>>
> > > > >>> Regards,
> > > > >>> M.V.S.Kishore
> > > > >>> 91-9886412814
> > > > >>>
> > > > >>
> > > > >> --
> > > > >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > > >> T. +33 (0)4 89 97 36 50
> > > > >> P. +33 (0)6 08 33 32 61
> > > > >> emmanuel.lecha...@busit.com https://www.busit.com/
> > > > >>
> > > > >>
> > ---------------------------------------------------------------------
> > > > >> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
> > > > >> For additional commands, e-mail: users-h...@mina.apache.org
> > > > >>
> > > > >>
> > > > >
> > > >
> > > > --
> > > > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> > > > T. +33 (0)4 89 97 36 50
> > > > P. +33 (0)6 08 33 32 61
> > > > emmanuel.lecha...@busit.com https://www.busit.com/
> > > >
> > >
> >
>
