[jruby-dev] [jira] (JRUBY-6975) SSLSocket handshake never completes with bad clients, can block entire thread forever

Sun, 28 Oct 2012 13:08:18 -0700

Issue Type: Bug Bug
Affects Versions: JRuby 1.7.0.RC2, JRuby 1.6.7
Assignee: Unassigned
Components: OpenSSL, Ruby 1.9.3
Created: 28/Oct/12 3:06 PM
Description:

I would expect this code to output "accepted socket", but instead it hangs on the non-SSL connection attempt forever. Removing the TCPSocket line results in "accepted socket".

This is obviously problematic for anyone using the default SSLServer - one bad client can hang entire server because the handshake takes place in the listen loop.

In my case, I've moved the handshake into my server's worker threads, but even then the individual worker thread will hang forever without something in place to time out the handshake.

SSL_Handshake_Bug.rb
require 'socket'
require 'openssl'

host = "127.0.0.1"
port = 9988

ssl_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQCvF80yn6D+kqGwMSQHcpHUwCRt+c39Qoy99fCWdenPthfUscec\ny62Ij8+rKYCnoE9y766a5baowdDKqq3IBOZn2Ove3zfueGbHAbWehFopG2xySf0U\nPjdmWk+DRDlCeFLig6xfAnOKWo+N0MViso3dNK8gYzb6FWqlWgZgAcMpswIDAQAB\nAoGAHv/UyZivdULas4oPue3T2dnm2T239ZXZuywW21ym96pij7ql/6Gj6KClgMVJ\nTOQ6DLxYqn3vF/OwlqEfQWF0tTUYY+xNbEDE1YsbrS5/FSzbaEYYOHzRl/vMmnsf\naNgYaSjOIecin7L71Wzq0piMIxg8BLb6IVECBku9EQNzxuECQQDZsbRgg1XZGj+r\nXAu/qXTNKQ/r7k+iPN5bXON6ApBomG+4Q7VVITL3tkGzLOphRZ37Q28FrN4B4gtC\nXb9il5lDAkEAzecTSopPi2VdcME4WWmwn1rbTp/jJNt4dGZLsNfj9RejVDd32i/L\nP7wCpoPDaaVcoF2HgvCs39qatyVg6ecu0QJBALN4q+q9nDMGTuNpWU5D2EWjyrqJ\nmCF66R6NcASQxJlWwxQ4zfBHFIvgOD4Nk5VqHZqet5MIN2d6AipOu4/+x50CQHDp\njf+rd1GHBcXGf8MwnUXWCjvEnEhi/lw+mLVivsRx8QRG4rfIy9monX949Flj8DaU\n87IPj422kG9s1QeP2nECQQCkg+RUcoQm7SiM8OXuXNeHQlvQNp65geFRxzKAXxT/\n+1Mbtwnd3AXXZBekFDDpE9U3ZQjahoe7oc1oUBuw5hXL\n-----END RSA PRIVATE KEY-----\n"
ssl_cert = "-----BEGIN CERTIFICATE-----\nMIIC/jCCAeagAwIBAgIBAjANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJVUzEO\nMAwGA1UECgwFbG9jYWwxDTALBgNVBAsMBGFlcm8xCzAJBgNVBAMMAkNBMB4XDTEy\nMDExNDAwMjcyN1oXDTEzMDExMzAwMjcyN1owSDELMAkGA1UEBhMCVVMxDjAMBgNV\nBAoMBWxvY2FsMQ0wCwYDVQQLDARhZXJvMQswCQYDVQQLDAJDQTENMAsGA1UEAwwE\ncHVtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArxfNMp+g/pKhsDEkB3KR\n1MAkbfnN/UKMvfXwlnXpz7YX1LHHnMutiI/PqymAp6BPcu+umuW2qMHQyqqtyATm\nZ9jr3t837nhmxwG1noRaKRtsckn9FD43ZlpPg0Q5QnhS4oOsXwJzilqPjdDFYrKN\n3TSvIGM2+hVqpVoGYAHDKbMCAwEAAaOBhTCBgjAMBgNVHRMBAf8EAjAAMDEGCWCG\nSAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G\nA1UdDgQWBBTyDyJlmYBDwfWdRj6lWGvoY43k9DALBgNVHQ8EBAMCBaAwEwYDVR0l\nBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIbBVfoVCG8RyVesPW+q\n5i0wAMbHZ1fwv1RKp17c68DYDs0YYPi0bA0ss8AgpU6thWmskxPiFaE6D5x8iv9f\nzkcHxgr1Mrbx6RLx9tLUVehSmRv3aiVO4k9Mp6vf+rJK1AYeaGBmvoqTBLwy7Jrt\nytKMdqMJj5jKWkWgEGgTnjzbcOClmCQab9isigIzTxMyC/LjeKZe8pPeVX6OM8bY\ny8XGZp9B7uwdPzqt/g25IzTC0KsQwq8cB0raAtZzIyTNv42zcUjmQNVazAozCTcq\nMsEtK2z7TYBC3udTsdyS2qVqCpsk7IMOBGrw8vk4SNhO+coiDObW2K/HNvhl0tZC\noQI=\n-----END CERTIFICATE-----"

ctx = OpenSSL::SSL::SSLContext.new
ctx.key = OpenSSL::PKey::RSA.new ssl_key
ctx.cert = OpenSSL::X509::Certificate.new ssl_cert
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

server = TCPServer.new(host, port)
@ssl_server = OpenSSL::SSL::SSLServer.new(server, ctx)
listen_loop = Thread.new do
  loop do
    ios = IO.select [@ssl_server]
    ios.first.each do |sock|
      sock.accept
      puts 'accepted socket'
    end
  end
end

Thread.new{TCPSocket.new host, port}
sleep 2
OpenSSL::SSL::SSLSocket.new(TCPSocket.new host, port).connect

listen_loop.join
Project: JRuby
Priority: Major Major
Reporter: Ben Porterfield
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email

Reply via email to