[jira] [Comment Edited] (QPID-5892) SSL Sender may spuriously timeout if SSL negotiation fails

Sun, 13 Jul 2014 03:56:20 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-5892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14060080#comment-14060080
 ] 

Keith Wall edited comment on QPID-5892 at 7/13/14 10:54 AM:
------------------------------------------------------------

The race condition is between the IOReceiver thread and the Main thread.

In the unlucky case, the Main thread yields (SSLSender#send) after getting a 
NEED_UNWRAP, but before acquiring the sslLock.  Meanwhile the IOReceiver thread 
receives the "Received fatal alert: bad_certificate" exception from the Engine 
and sets the sslErrorFlag.  When the Main thread awakes, and begins to wait, 
but no notify will come.  The wait times out and goes on to generate the 
spurious timeout, masking the (useful) true cause (bad certificate).

Checking the sslErrorFlag after acquiring the lock  should resolve this issue.


{noformat}
IoReceiver - localhost/127.0.0.1:15671 2014-07-12 11:23:38,475 ERROR 
[network.security.ssl.SSLReceiver] Error caught in SSLReceiver
javax.net.ssl.SSLException: Received fatal alert: bad_certificate
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587)
        at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1756)
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1060)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:884)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
        at 
org.apache.qpid.transport.network.security.ssl.SSLReceiver.received(SSLReceiver.java:102)
        at 
org.apache.qpid.transport.network.security.ssl.SSLReceiver.received(SSLReceiver.java:35)
        at 
org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:161)
        at java.lang.Thread.run(Thread.java:745)
{noformat}


{noformat}
main 2014-07-12 11:24:38,477 INFO [apache.qpid.client.AMQConnection] Unable to 
connect to broker at 
tcp://localhost:15671?trust_store_password='********'&trust_store='test-profiles/test_resources/ssl/java_client_truststore.jks'&ssl='true'
org.apache.qpid.transport.SenderException: SSL Engine timed out waiting for a 
response.To get more info,run with -Djavax.net.debug=ssl
        at 
org.apache.qpid.transport.network.security.ssl.SSLSender.send(SSLSender.java:229)
        at 
org.apache.qpid.transport.network.security.ssl.SSLSender.send(SSLSender.java:35)
        at 
org.apache.qpid.transport.network.Disassembler.init(Disassembler.java:160)
        at 
org.apache.qpid.transport.network.Disassembler.init(Disassembler.java:48)
        at 
org.apache.qpid.transport.ProtocolHeader.delegate(ProtocolHeader.java:110)
        at 
org.apache.qpid.transport.network.Disassembler.send(Disassembler.java:73)
        at 
org.apache.qpid.transport.network.Disassembler.send(Disassembler.java:48)
        at org.apache.qpid.transport.Connection.send(Connection.java:407)
        at org.apache.qpid.transport.Connection.connect(Connection.java:246)
        at 
org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:221)
        at 
org.apache.qpid.client.AMQConnection.makeBrokerConnection(AMQConnection.java:620)
        at org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:399)
        at 
org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:155)
        at 
org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:134)
        at 
org.apache.qpid.test.utils.QpidBrokerTestCase.getConnection(QpidBrokerTestCase.java:1124)
        at 
org.apache.qpid.client.ssl.SSLTest.missingClientCertWhileNeedingOrWantingTestImpl(SSLTest.java:326)
{noformat}


was (Author: k-wall):
The race condition is between the IOReceiver thread and the Main thread.

In the unlucky case, the Main thread yields (SSLSender#send) after getting a 
NEED_UNWRAP, but before acquiring the sslLock.  Meanwhile the IOReceiver thread 
receives the "Received fatal alert: bad_certificate" exception from the Engine 
and sets the sslErrorFlag.  When the Main thread awakes, and begins to wait, 
but no notify will come.  The wait times out and goes on to generate the 
spurious timeout, masking the (useful) true cause (bad certificate).

Checking the sslErrorFlag after acquiring the lock  should resolve this issue.

> SSL Sender may spuriously timeout if SSL negotiation fails
> ----------------------------------------------------------
>
>                 Key: QPID-5892
>                 URL: https://issues.apache.org/jira/browse/QPID-5892
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker, Java Client
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>             Fix For: 0.29
>
>
> As highlighted by the occasionally failure 
> SSLTest.testClientCertMissingWhilstWantingAndNeeding on  a slower CI box, 
> there is a race condition in SSLSender code.  When the race condition 
> manifests the test hangs for 60s then produces a timeout exception (SSL 
> Engine timed out), rather than the expected (Received fatal alert: 
> bad_certificate).
> This issue is probably longstanding.
> {noformat}
> org.apache.qpid.transport.SenderException: SSL Engine timed out waiting for a 
> response.To get more info,run with -Djavax.net.debug=ssl
>         at 
> org.apache.qpid.transport.network.security.ssl.SSLSender.send(SSLSender.java:229)
>         at 
> org.apache.qpid.transport.network.security.ssl.SSLSender.send(SSLSender.java:35)
>         at 
> org.apache.qpid.transport.network.Disassembler.init(Disassembler.java:160)
>         at 
> org.apache.qpid.transport.network.Disassembler.init(Disassembler.java:48)
>         at 
> org.apache.qpid.transport.ProtocolHeader.delegate(ProtocolHeader.java:110)
>         at 
> org.apache.qpid.transport.network.Disassembler.send(Disassembler.java:73)
>         at 
> org.apache.qpid.transport.network.Disassembler.send(Disassembler.java:48)
>         at org.apache.qpid.transport.Connection.send(Connection.java:407)
>         at org.apache.qpid.transport.Connection.connect(Connection.java:246)
>         at 
> org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:221)
>         at 
> org.apache.qpid.client.AMQConnection.makeBrokerConnection(AMQConnection.java:620)
>         at org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:399)
>         at 
> org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:155)
>         at 
> org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:134)
>         at 
> org.apache.qpid.test.utils.QpidBrokerTestCase.getConnection(QpidBrokerTestCase.java:1124)
>         at 
> org.apache.qpid.client.ssl.SSLTest.missingClientCertWhileNeedingOrWantingTestImpl(SSLTest.java:326)
>         at 
> org.apache.qpid.client.ssl.SSLTest.testClientCertMissingWhilstWantingAndNeeding(SSLTest.java:306)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to