Benoit Tellier created JAMES-3741: ------------------------------------- Summary: SSL: sporadic new connection failure under load Key: JAMES-3741 URL: https://issues.apache.org/jira/browse/JAMES-3741 Project: James Server Issue Type: Improvement Components: IMAPServer, POP3Server, SMTPServer Affects Versions: 3.7.0 Reporter: Benoit Tellier Fix For: master
Exception seen on 3.7.x... Context performance tests with several new SSL connections opened per seconds (high concurrency). {code:java} 21:34:28.460 [WARN ] o.a.j.i.n.ImapChannelUpstreamHandler - Error while processing imap request javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16) at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1894) at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240) at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ... 24 common frames omitted {code} Can be reliably reproduced by opening many new SSL connections concurrently: {code:java} @Nested class Toto { IMAPServer imapServer; int port; @BeforeEach void setup() throws Exception { HierarchicalConfiguration<ImmutableNode> config = ConfigLoader.getConfig(ClassLoaderUtils.getSystemResourceAsSharedStream("imapSSL.xml")); imapServer = createImapServer(config); port = imapServer.getListenAddresses().get(0).getPort(); } @AfterEach void tearDown() { if (imapServer != null) { imapServer.destroy(); } } @Test void test() throws Exception { ConcurrentTestRunner.builder() .operation((a, b) -> { IMAPSClient imapsClient = imapsImplicitClient(port); final boolean capability = imapsClient.capability(); assertThat(capability).isTrue(); final boolean close = imapsClient.close(); }) .threadCount(10) .operationCount(3000) .runSuccessfullyWithin(Duration.ofMinutes(10)); } private IMAPSClient imapsImplicitClient(int port) throws Exception { IMAPSClient client = new IMAPSClient(true, BogusSslContextFactory.getClientContext()); client.setTrustManager(BogusTrustManagerFactory.getTrustManagers()[0]); client.connect("127.0.0.1", port); return client; } } {code} and `imapSSL.xml` being: {code:java} <imapserver enabled="true"> <jmxName>imapserver</jmxName> <bind>0.0.0.0:9993</bind> <tls socketTLS="true" startTLS="false"> <privateKey>private.key</privateKey> <certificates>certs.self-signed.csr</certificates> <secret>123456</secret> </tls> <auth> <plainAuthEnabled>true</plainAuthEnabled> <requireSSL>true</requireSSL> </auth> </imapserver> {code} Interestingly enough the Netty4 migration post 3.7.x fixed the issue. Thus it will be fixed in later releases yet it seemed interesting to me to document the issue. I propose to add a non-regression test on master. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org