Benoit Tellier created JAMES-3741:
-------------------------------------
Summary: SSL: sporadic new connection failure under load
Key: JAMES-3741
URL: https://issues.apache.org/jira/browse/JAMES-3741
Project: James Server
Issue Type: Improvement
Components: IMAPServer, POP3Server, SMTPServer
Affects Versions: 3.7.0
Reporter: Benoit Tellier
Fix For: master
Exception seen on 3.7.x... Context performance tests with several new SSL
connections opened per seconds (high concurrency).
{code:java}
21:34:28.460 [WARN ] o.a.j.i.n.ImapChannelUpstreamHandler - Error while
processing imap request
javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher
fragment (2). Needs to be more than tag size (16)
at
java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1894)
at
java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
at
java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
at
java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
... 24 common frames omitted
{code}
Can be reliably reproduced by opening many new SSL connections concurrently:
{code:java}
@Nested
class Toto {
IMAPServer imapServer;
int port;
@BeforeEach
void setup() throws Exception {
HierarchicalConfiguration<ImmutableNode> config =
ConfigLoader.getConfig(ClassLoaderUtils.getSystemResourceAsSharedStream("imapSSL.xml"));
imapServer = createImapServer(config);
port = imapServer.getListenAddresses().get(0).getPort();
}
@AfterEach
void tearDown() {
if (imapServer != null) {
imapServer.destroy();
}
}
@Test
void test() throws Exception {
ConcurrentTestRunner.builder()
.operation((a, b) -> {
IMAPSClient imapsClient = imapsImplicitClient(port);
final boolean capability = imapsClient.capability();
assertThat(capability).isTrue();
final boolean close = imapsClient.close();
})
.threadCount(10)
.operationCount(3000)
.runSuccessfullyWithin(Duration.ofMinutes(10));
}
private IMAPSClient imapsImplicitClient(int port) throws Exception {
IMAPSClient client = new IMAPSClient(true,
BogusSslContextFactory.getClientContext());
client.setTrustManager(BogusTrustManagerFactory.getTrustManagers()[0]);
client.connect("127.0.0.1", port);
return client;
}
}
{code}
and `imapSSL.xml` being:
{code:java}
<imapserver enabled="true">
<jmxName>imapserver</jmxName>
<bind>0.0.0.0:9993</bind>
<tls socketTLS="true" startTLS="false">
<privateKey>private.key</privateKey>
<certificates>certs.self-signed.csr</certificates>
<secret>123456</secret>
</tls>
<auth>
<plainAuthEnabled>true</plainAuthEnabled>
<requireSSL>true</requireSSL>
</auth>
</imapserver>
{code}
Interestingly enough the Netty4 migration post 3.7.x fixed the issue.
Thus it will be fixed in later releases yet it seemed interesting to me to
document the issue.
I propose to add a non-regression test on master.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
