[jira] [Updated] (QPID-6981) SSLSender does not send the close_notify bytes during client initiated connection close

Keith Wall (JIRA) Thu, 29 Dec 2016 04:03:37 -0800

     [ 
https://issues.apache.org/jira/browse/QPID-6981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Keith Wall updated QPID-6981:
-----------------------------
    Fix Version/s:     (was: qpid-java-6.2)

> SSLSender does not send the close_notify bytes during client initiated 
> connection close 
> ----------------------------------------------------------------------------------------
>
>                 Key: QPID-6981
>                 URL: https://issues.apache.org/jira/browse/QPID-6981
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Client, Java Common
>    Affects Versions: qpid-java-6.0
>            Reporter: Keith Wall
>
> If I close an connection that uses TLS from the client side (AMQP 0-10 or 
> 0-9), the socket is successfully closed, but the SSL close_notify bytes are 
> never sent over the wire.  The Java Broker logs a stack trace to report this. 
> The client side problem is in {{SSLSender#tearDownSSLConnection}}.  
> The following in the log of 
> {{SSLTest.testCreateSSLConnectionUsingConnectionURLParams}} augments with 
> extra trace in tearDownSSLConnection/IoSender.
> {noformat}
> 2016-01-09 17:01:01,047         DEBUG 
> [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.Connection RECV: 
> [conn:618c5d94] ch=0 ConnectionCloseOk()
> 2016-01-09 17:01:01,048         DEBUG 
> [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender 
> Closing SSL connection
> 2016-01-09 17:01:01,048         DEBUG 
> [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender 
> SSLEngine result Status = BUFFER_OVERFLOW HandshakeStatus = NEED_WRAP
> bytesConsumed = 0 bytesProduced = 0 (tearDownSSLConnection initial wrap)
> 2016-01-09 17:01:01,048         DEBUG [IO-/127.0.0.1:51231] 
> o.a.q.s.t.MultiVersionProtocolEngine Closed
> 2016-01-09 17:01:01,048         DEBUG 
> [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender 
> SSLEngine result Status = CLOSED HandshakeStatus = NEED_UNWRAP
> bytesConsumed = 0 bytesProduced = 85 (tearDownSSLConnection loop wrap)
> ##  These 85 bytes never go down the wire
> 2016-01-09 17:01:01,048         DEBUG 
> [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.Connection 
> connection closed: conn:618c5d94
> {noformat}
> The Java Broker logs the a stack trace at debug complaining that it never 
> received the close_notify.  It otherwise ignores the condition.
> {noformat}
> 2016-01-09 17:01:01,055         DEBUG [IO-/127.0.0.1:51231] 
> o.a.q.s.t.NonBlockingConnectionTLSDelegate Exception when closing SSLEngine
> javax.net.ssl.SSLException: Inbound closed before receiving peer's 
> close_notify: possible truncation attack?
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) 
> ~[na:1.8.0_45]
>         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) 
> ~[na:1.8.0_45]
>         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) 
> ~[na:1.8.0_45]
>         at 
> sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) 
> ~[na:1.8.0_45]
>         at 
> org.apache.qpid.server.transport.NonBlockingConnectionTLSDelegate.shutdownOutput(NonBlockingConnectionTLSDelegate.java:364)
>  ~[qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.NonBlockingConnection.shutdownOutput(NonBlockingConnection.java:409)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.NonBlockingConnection.shutdown(NonBlockingConnection.java:360)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.NonBlockingConnection.doWork(NonBlockingConnection.java:299)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.NetworkConnectionScheduler.processConnection(NetworkConnectionScheduler.java:108)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.SelectorThread$ConnectionProcessor.processConnection(SelectorThread.java:502)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.SelectorThread$SelectionTask.performSelect(SelectorThread.java:340)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.SelectorThread$SelectionTask.run(SelectorThread.java:86)
>  [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> org.apache.qpid.server.transport.SelectorThread.run(SelectorThread.java:460) 
> [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  [na:1.8.0_45]
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  [na:1.8.0_45]
>         at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (QPID-6981) SSLSender does not send the close_notify bytes during client initiated connection close

Reply via email to