[ https://issues.apache.org/jira/browse/JAMES-3741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benoit Tellier updated JAMES-3741: ---------------------------------- Summary: SSL: sporadic failure of new connection failure under load in 3.7.x (was: SSL: sporadic new connection failure under load) > SSL: sporadic failure of new connection failure under load in 3.7.x > ------------------------------------------------------------------- > > Key: JAMES-3741 > URL: https://issues.apache.org/jira/browse/JAMES-3741 > Project: James Server > Issue Type: Improvement > Components: IMAPServer, POP3Server, SMTPServer > Affects Versions: 3.7.0 > Reporter: Benoit Tellier > Priority: Major > Fix For: master > > > Exception seen on 3.7.x... Context performance tests with several new SSL > connections opened per seconds (high concurrency). > {code:java} > 21:34:28.460 [WARN ] o.a.j.i.n.ImapChannelUpstreamHandler - Error while > processing imap request > javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD > cipher fragment (2). Needs to be more than tag size (16) > at > java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1894) > at > java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240) > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) > at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) > ... 24 common frames omitted > {code} > Can be reliably reproduced by opening many new SSL connections concurrently: > {code:java} > @Nested > class Toto { > IMAPServer imapServer; > int port; > @BeforeEach > void setup() throws Exception { > HierarchicalConfiguration<ImmutableNode> config = > ConfigLoader.getConfig(ClassLoaderUtils.getSystemResourceAsSharedStream("imapSSL.xml")); > imapServer = createImapServer(config); > port = imapServer.getListenAddresses().get(0).getPort(); > } > @AfterEach > void tearDown() { > if (imapServer != null) { > imapServer.destroy(); > } > } > @Test > void test() throws Exception { > ConcurrentTestRunner.builder() > .operation((a, b) -> { > IMAPSClient imapsClient = imapsImplicitClient(port); > final boolean capability = imapsClient.capability(); > assertThat(capability).isTrue(); > final boolean close = imapsClient.close(); > }) > .threadCount(10) > .operationCount(3000) > .runSuccessfullyWithin(Duration.ofMinutes(10)); > } > private IMAPSClient imapsImplicitClient(int port) throws Exception { > IMAPSClient client = new IMAPSClient(true, > BogusSslContextFactory.getClientContext()); > > client.setTrustManager(BogusTrustManagerFactory.getTrustManagers()[0]); > client.connect("127.0.0.1", port); > return client; > } > } > {code} > and `imapSSL.xml` being: > {code:java} > <imapserver enabled="true"> > <jmxName>imapserver</jmxName> > <bind>0.0.0.0:9993</bind> > <tls socketTLS="true" startTLS="false"> > <privateKey>private.key</privateKey> > <certificates>certs.self-signed.csr</certificates> > <secret>123456</secret> > </tls> > <auth> > <plainAuthEnabled>true</plainAuthEnabled> > <requireSSL>true</requireSSL> > </auth> > </imapserver> > {code} > Interestingly enough the Netty4 migration post 3.7.x fixed the issue. > Thus it will be fixed in later releases yet it seemed interesting to me to > document the issue. > I propose to add a non-regression test on master. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org