Great!
If you don't mind, I'd like to use this piece of code to document the
2.0 -> 2.2 mogration.
Just let me know if it's OK with you !
Thanks!
On 17/04/2023 13:04, Kishore Mokkarala wrote:
Thank you all for the help.Here is my SSL implementation for making it work
with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
public class CustomSslFilter {
public CustomSslFilter(SSLContext sslContext) {
super(sslContext);
}
//Override CreateEngine
protected SSLEngine createEngine(IoSession session, InetSocketAddress
addr) {
//Add your SNI host name and port in the IOSession
SNIHostNames = (String)session.getAttribute( SNIHostNames );
PortNumber = (String)session.getAttribute( PortNumber );
InetSocketAddress peer =
InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
SSLEngine sslEngine = (addr != null) ?
sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
: sslContext.createSSLEngine();
// Always start with WANT, which will be squashed by NEED if NEED is
true.
// Actually, it makes not a lot of sense to select NEED and WANT.
NEED >> WANT...
if (wantClientAuth) {
sslEngine.setWantClientAuth(true);
}
if (needClientAuth) {
sslEngine.setNeedClientAuth(true);
}
if (enabledCipherSuites != null) {
sslEngine.setEnabledCipherSuites(enabledCipherSuites);
}
if (enabledProtocols != null) {
sslEngine.setEnabledProtocols(enabledProtocols);
}
sslEngine.setUseClientMode(!session.isServer());
return sslEngine;
}
}
IoSessionInitializer<ConnectFuture> initializer = new
IoSessionInitializer<ConnectFuture>() {
@Override
public void initializeSession(IoSession session, ConnectFuture
future) {
session.setAttribute( SNIHostNames , "example.com");
session.setAttribute( PortNumber , 8443);
}
};
try {
NioSocketConnector connector = getConnector();
ioSession = connector.connect(address,
initializer).awaitUninterruptibly().getSession();
} catch (RuntimeIoException eio) {
initializationException = eio;
}
------------------------------------------
M.V.S.Kishore
91-9886412814
On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <john...@apache.org> wrote:
Looking at the code for your existing filter it appears like you’re just
trying to create the SSLEngine so it can be reused for subsequent
connections by passing in the IP address and Port?
This is already a feature in the new filter.
https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
If you want to perform any customization during the SSL Engine setup, just
override createEngine
On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <kishore....@gmail.com>
wrote:
Currently we are using the following custom SSL filter for passing SNI
host
name. For doing this we are using PEER_ADDRESS.
This was available in apache mina 2.0.21 SslHandler.java,but this
attribute
is not available in 2.2.10.
This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP address
to
which it connects ,but this information is needed for the destination
server.
*Existing implementation : *
SslFilter sslFilter;
try {
SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
* sslFilter = new CustomSslFilter(sslContext); //passing * *PEER_ADDRESS
in overridden onPreAdd*.
sslFilter.setUseClientMode(true);
connector.getFilterChain().addFirst("sslFilter", sslFilter);
} catch (Exception e) {
e.printStackTrace();
LOG.error("Exception during creating SSL context..." +
XError.getStackTrace(e));
}
connector.setHandler(ioHandler);
*CustomSslFilter.java:*
public class CustomSslFilter extends SslFilter
{
public CustomSslFilter(SSLContext sslContext) {
super(sslContext, true);
}
@Override
public void onPreAdd(IoFilterChain parent, String name,
NextFilter nextFilter) throws SSLException {
// Check that we don't have a SSL filter already present in the
chain
if (parent.contains(SslFilter.class)) {
String msg = "Only one SSL filter is permitted in a chain.";
LOGGER.error(msg);
throw new IllegalStateException(msg);
}
IoSession session = parent.getSession();
Provider provider =
(Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
InetSocketAddress probeAddress =
InetSocketAddress.createUnresolved(
*eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
session.setAttribute(PEER_ADDRESS, probeAddress);
super.onPreAdd(parent, name, nextFilter);
}
}
We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
did
but it is not working.Please do the needful.
*Question:*
How to pass this sni host name for creating SSLEngine?
*Here is the new implementation changed as per new Mina 2.2.10 API:*
try{
sslContext = javax.net.ssl.SSLContext.getDefault();
SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
List<SNIServerName> sniHostNames = new ArrayList<>();
sniHostNames.add(sniHostName);
SSLParameters sslParams = sslContext.getDefaultSSLParameters();
sslParams.setServerNames(sniHostNames);
sslFilter = new SslFilter(sslContext);
//sslFilter.setUseClientMode(true); //This is not required in 2.2.1 hence
commented.
connector.getFilterChain().addFirst("sslFilter", sslFilter);
} catch (Exception e) {
e.printStackTrace();
LOG.error("Exception during creating SSL context..." +
XError.getStackTrace(e));
}
connector.setHandler(ioHandler);
Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java code
:
/* no qualifier */void init() throws SSLException {
if (sslEngine != null) {
// We already have a SSL engine created, no need to create a
new one
return;
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("{} Initializing the SSL Handler",
sslFilter.getSessionInfo(session));
}
InetSocketAddress peer = (InetSocketAddress)
session.getAttribute(SslFilter.PEER_ADDRESS);
// Create the SSL engine here
if (peer == null) {
sslEngine = sslFilter.sslContext.createSSLEngine();
} else {
sslEngine =
sslFilter.sslContext.createSSLEngine(peer.getHostName(), peer.getPort());
}
// Initialize the engine in client mode if necessary
sslEngine.setUseClientMode(sslFilter.isUseClientMode());
Regards,
------------------------------------------
M.V.S.Kishore
91-9886412814
On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <elecha...@gmail.com>
wrote:
Hi,
On 12/04/2023 18:00, Kishore Mokkarala wrote:
Thanks Emmanuel for the quick response.I have few more questions on
the
upgrade.Please do the needful.
If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
steps
do i need to follow ?
There are two pages that explains the diffence between 2.0 and 2.1, and
2. and 2.2:
* https://mina.apache.org/mina-project/2.1-vs-2.0.html
* https://mina.apache.org/mina-project/2.2-vs-2.1.html
The 2.1 vs 2.0 difference is mainly about the way we detect a secured
session. It's pretty trivial.
The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
using
startTLS.
Otherwise, it's pretty straightforward.
ALso note that teh SSL handler has been completeley reworked in 2.2.
Is it just a jar file change in the classpath or do i need to do
any
more
changes ?
It should be just about changing the jar.
Also we are also using https for communication ? in this case what
all
changes are needed ?
Nothing, AFAICT.
I have seen there is a change the way we pass the SNI host name in
2.0.21
vs 2.2.1 ?
Hmmm, not that I remeber. Do you have any pointer?
First of all is it recommended to migrate from 2.0.21 to mina 2.2.1
?
Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
branch is clearly the one we maintain.
will the state machine work without doing any changes ?
It should not have changed.
Hope it helps.
Regards,
------------------------------------------
M.V.S.Kishore
On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <elecha...@gmail.com
wrote:
Hi,
Mina 2.0 branch is pretty old (5 years) and we have made significant
changes in the 2.1 and more important the 2.2 branches. You should
seriously consider migrating to 2.2. That being said:
- 40 seconds to do whatever that was taking a few milliseconds
snounds
like a major regression, aka bug.
- If you weren't using the HTTP part of MINA, migrating to 2.0.23
makes
little sense. The CVE only impacts the HTTP decoder. In other words,
if
it's working, don't break it...
- We don't have enough context to tell you what could go wrong in
your
code. If you provide some piece of code we can run, we can
investigate,
otherwise it's like shouting in the dark... Typically, we have no
clue
about what the gpbMessageFilter does.
On 10/04/2023 13:37, Kishore Mokkarala wrote:
Hi,
There was a security vulnerability in mina 2.0.21,So we were
migrated
from apache mina 2.0.21 to 2.0.23,locally in the dev environment
everything
looks good, but in production we are facing connection timeout
issue
with
the mina version 2.0.23.
For connection set up it was taking 10-20 milliseconds (less than a
second)
with the old version (2.0.21).
With the new version even after 40 seconds connection was timed
out.
We use the same NioSocketConnector instance for opening 100
parallel connections.
*Question:*
*My query is why it is taking more time more than 40 seconds for
opening
the socket with the new version ?*
We are not using https communication.
*Could you please suggest a work around.*
What's happening in the below code is mina is time out after 40
seconds
and
also IO session has been created using state machine in separate
threads,both are running in two parallel threads,This issue is not
seen
with the mina 2.0.21 version.
*Here is the code snippet.*
private static final ExecutorFilter executorFilter = new
ExecutorFilter(16,32);
StateMachine stateMachine =
StateMachineFactory.getInstance(IoHandlerTransition.class).create(
G10MinaClient.CONNECTED, new
G10MinaClient(processor));
IoHandler ioHandler = new
StateMachineProxyBuilder().setStateContextLookup(
new IoSessionStateContextLookup(new
StateContextFactory() {
@Override
public StateContext create() {
final G10StateContext stateContext = new
G10StateContext();
stateContext.setStartedTime(new Date());
return stateContext;
}
})).create(IoHandler.class, stateMachine);
NioSocketConnector connector = new NioSocketConnector();
connector.getFilterChain().addLast("LoggingFilter",
G10CaptureService.loggingFilter);
connector.getFilterChain().addLast("codecFilter",
G10CaptureService.probeCodecFilter);
connector.getFilterChain().addLast("executorFilter",
G10CaptureService.executorFilter);
connector.getFilterChain().addLast("gpbMessageFilter",
G10CaptureService.gpbMessageFilter);
connector.getFilterChain().addLast("keepAliveFilter",
G10CaptureService.keepAliveFilter);
connector.setHandler(ioHandler);
ConnectFuture primaryConnectFuture =
connector.connect(primaryAddress,
initializer);
if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
//MINA_CLOSE_TIMEOUT is 40 seconds
{
if (handleIOException(searchExpression,
captureHandler)) {
return;
}
LOG.info("{} Apache mina connection setup
time
out
happend.",
handleConnectionFailed(primaryAddress,
captureHandler,
"Primary IP connection timeout");
return;
}
Regards,
M.V.S.Kishore
91-9886412814
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
For additional commands, e-mail: users-h...@mina.apache.org
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
For additional commands, e-mail: users-h...@mina.apache.org
