Re: Adding SSLFilter on the fly

Fri, 12 Jan 2007 01:33:08 -0800 

Hi
Anyone got any idea as to how I could solve the issue I describe below? The MINA integration into FtpServer is not full functional, except for the SSL support :-/ 

Thanks!

/niklas


Niklas Gustavsson wrote:

Hi


I'm trying to integrate MINA with Apache FtpServer, basically base 
FtpServer's socket handling on MINA. So far it's been a great 
experience. However, I just got stuck. It might very likely be an 
error on my side but I need some pointers :-)



The FTP AUTH command is sent by a client to tell the server that it 
wants to secure the FTP control socket with SSL. The flow is like this:


1. Client sends "AUTH TLS"
2. Server sends "234 Command AUTH okay; starting TLS connection."
3. Server secures the socket
4. Next client call is over the secure socket


Now, to implement this I add a SSLFilter at step 3. However, I seem to 
run into a condition where the response sent at step 2 sometimes end 
up in the, not yet initialized, SSLFilter. This results in:

java.lang.IllegalStateException

    at 
org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
    at 
org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain..java:362) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559) 

    at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 


    at java.lang.Thread.run(Thread.java:595)



 From my understanding, the response should already has been sent to 
the client but that seems not to be the case. The response (step 2) is 
sent as:

session.write(response).join();


Shouldn't the join() make that call wait until the write is completely 
done? If not, how would I otherwise ensure that the response has been 
sent before I add the SSL filter?


The full trace is attached.

Thanks!
/niklas


------------------------------------------------------------------------

Server ready :: Apache FTP Server
------- Apache FTP Server started ------
[/127.0.0.1:2291] CREATED
Launching thread for /127.0.0.1:2291
[/127.0.0.1:2291] OPENED
[/127.0.0.1:2291] WRITE: 220 Service ready for new user.

< 220 Service ready for new user.

AUTH TLS

AUTH TLS

AUTH TLS

[/127.0.0.1:2291] RECEIVED: AUTH TLS
[/127.0.0.1:2291] WRITE: 234 Command AUTH okay; starting TLS connection.

< 220 Service ready for new user.
234 Command AUTH okay; starting TLS connection.
[/127.0.0.1:2291]  doHandshake()
[/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
[/127.0.0.1:2291]  unwrapHandshake()

[/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0 
lim=0 cap=16665]
[/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0 
lim=33330 cap=33330]
[/127.0.0.1:2291]  Unwrap res:Status = BUFFER_UNDERFLOW 
HandshakeStatus = NEED_UNWRAP

bytesConsumed = 0 bytesProduced = 0
[EMAIL PROTECTED]
[/127.0.0.1:2291] SENT: 220 Service ready for new user.

[/127.0.0.1:2291] SENT: 234 Command AUTH okay; starting TLS connection.

[/127.0.0.1:2291] EXCEPTION:
java.lang.IllegalStateException

    at 
org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
    at 
org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559) 

    at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 


    at java.lang.Thread.run(Thread.java:595)
[/127.0.0.1:2291] CLOSE

[/127.0.0.1:2291]  write outNetBuffer: java.nio.DirectByteBuffer[pos=0 
lim=7 cap=16665]
[/127.0.0.1:2291]  session write: DirectBuffer[pos=0 lim=7 cap=8: 15 
03 01 00 02 01 00]
[/127.0.0.1:2291]  Data Read: 
[EMAIL PROTECTED] (DirectBuffer[pos=0 
lim=7 cap=8192: 15 03 01 00 02 02 0A])

[/127.0.0.1:2291]  doHandshake()
[/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
[/127.0.0.1:2291]  unwrapHandshake()

[/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0 
lim=7 cap=16665]
[/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0 
lim=33330 cap=33330]

[/127.0.0.1:2291] Unexpected exception from SSLEngine.closeInbound().

javax.net.ssl.SSLException: Inbound closed before receiving peer's 
close_notify: possible truncation attack?
    at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1259) 

    at 
org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)

    at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:358)

    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:54) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:781) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:599) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:313) 

    at 
org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:271) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:225) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:563) 

    at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 


    at java.lang.Thread.run(Thread.java:595)
[/127.0.0.1:2291] EXCEPTION:
javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.

    at 
org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:424)
    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362) 

    at 
org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44) 

    at 
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559) 

    at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 


    at java.lang.Thread.run(Thread.java:595)

Caused by: javax.net.ssl.SSLException: Received fatal alert: 
unexpected_message
    at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482) 

    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957) 

    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782) 

    at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)

    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)

    at 
org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:677) 

    at 
org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:494)
    at 
org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:293) 

    at 
org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)

    ... 12 more
[/127.0.0.1:2291] CLOSED
Exiting since queue is empty for /127.0.0.1:2291


















    











					Reply via email to