[jira] [Commented] (DIRMINA-1186) 2.2.4 release causes some failure during TLS message exchanges

Eissam Yassin (Jira) Wed, 12 Mar 2025 05:51:00 -0700


    [ 
https://issues.apache.org/jira/browse/DIRMINA-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17934508#comment-17934508
 ]


Eissam Yassin commented on DIRMINA-1186:
----------------------------------------

Hello [~elecharny] 

 

We are facing the same problem after upgrading from 2.2.1 to 2.2.4, we are 
rolling back to 2.2.1.

You wrote "or rollback to 2.2.3 for the SslFilter part, but keep the CVE fix 
from 2.2.4, waiting for the previous option."

What do you mean with "keep the CVE fix from 2.2.4"?

 

Thanks,

Eissam Yassin

 

> 2.2.4 release causes some failure during TLS message exchanges
> --------------------------------------------------------------
>
>                 Key: DIRMINA-1186
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1186
>             Project: MINA
>          Issue Type: Bug
>    Affects Versions: 2.2.4
>            Reporter: Emmanuel Lécharny
>            Priority: Blocker
>             Fix For: 2.2.5
>
>
> When sending big messages in Apache Directory Server (above the 16K TLS 
> packet limit), we get some error, like this one:
> {code:java}
> javax.net.ssl|SEVERE|12|NioProcessor-2|2025-02-13 05:05:37.219 
> CET|TransportContext.java:316|Fatal (BAD_RECORD_MAC): Tag mismatch! (
> "throwable" : {
>   javax.crypto.AEADBadTagException: Tag mismatch!
>       at 
> com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:620)
>       at 
> com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
>       at 
> com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
>       at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941)
>       at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
>       at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779)
>       at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
>       at javax.crypto.Cipher.doFinal(Cipher.java:2463)
>       at 
> sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1606)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
>       at 
> sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
>       at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
>       at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:575)
>       at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:531)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:398)
>       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:377)
>       at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:250)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_loop(SSLHandlerG1.java:311)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive_start(SSLHandlerG1.java:201)
>       at 
> org.apache.mina.filter.ssl.SSLHandlerG1.receive(SSLHandlerG1.java:179)
>       at 
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:441)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
>       at 
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
>       at 
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
>       at 
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
>       at 
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>       at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>       at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>       at java.lang.Thread.run(Thread.java:748)}
> )
> {code}
> This never happens in 2.2.2 or 2.2.3. I think there a regression has been 
> introduced in the rewritten SslFilter and the associated classes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Commented] (DIRMINA-1186) 2.2.4 release causes some failure during TLS message exchanges

Reply via email to