[jira] [Comment Edited] (IGNITE-15337) Thin client using TLS 1.3 may freeze on connection to server

Sun, 16 Jan 2022 15:33:04 -0800 


    [ 
https://issues.apache.org/jira/browse/IGNITE-15337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17476898#comment-17476898
 ] 

Igor Sapego edited comment on IGNITE-15337 at 1/16/22, 11:32 PM:
-----------------------------------------------------------------

I've got to the roots of the issue, and this seems to be a server-side issue. 
In short, in TLS 1.3 unlike in TLS 1.2 client considers handshake complete when 
server has not yet complete configuring ciphers. This may cause (and causes) 
situations, when client send application layer data to server alongside with 
ChangeCipherSpec message. But on the server side we do not consider this 
possibility and do not process application layer data after handling 
ChangeCipherSpec (which is considered to be a part of handshake process). So 
even though receive buffer is not empty, we simply do not check and process any 
data left in it after handshake is complete.

P.S. Changing ticket summary accordingly and adding patch.


was (Author: isapego):
I've got to the roots of the issue, and this seems to be a server-side issue. 
In short, in TLS 1.3 unlike in TLS 1.2 client considers handshake complete when 
server has not yet complete configuring ciphers. This may cause (and causes) 
situations, when client send application layer data to server alongside with 
ChangeCipherSpec message. But on the server side we do not consider this 
possibility and do not process any data in receive buffer after handshake is 
complete, even if it's not empty.

P.S. Changing ticket summary accordingly and adding patch.

> Thin client using TLS 1.3 may freeze on connection to server
> ------------------------------------------------------------
>
>                 Key: IGNITE-15337
>                 URL: https://issues.apache.org/jira/browse/IGNITE-15337
>             Project: Ignite
>          Issue Type: Bug
>            Reporter: Ivan Daschinsky
>            Assignee: Igor Sapego
>            Priority: Major
>         Attachments: debug_ssl.patch, odbc-trace.log, python_tls_1_3.patch, 
> test.log
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
>  ODBC ssl tests randomly (ubuntu 20.04) or constantly (win 10) fails on 
> openssl 1.1.1k with failed handshake. 
> On openssl without tls 1.3 support all works flawlessly.
> WA: disable TLS 1.3 on ignite side 
> {code}
> -Djdk.tls.server.protocols=TLSv1.2
> {code}
> It will be also great to implement an ability to set TLS version on C++,  
> nowadays default one is choosen. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to