David Handermann created NIFI-11680:
---------------------------------------
Summary: Buffer Overflow with Connection Load Balancing and Bouncy
Castle TLS
Key: NIFI-11680
URL: https://issues.apache.org/jira/browse/NIFI-11680
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Affects Versions: 1.22.0
Reporter: David Handermann
Assignee: David Handermann
Fix For: 1.latest, 2.latest
Cluster Connection Load Balancing is susceptible to a
{{BufferOverflowException}} when the Java Virtual Machine is configured with an
alternative Security Provider for TLS, such as the Bouncy Castle Security
Provider.
The standard JDK [SSLSession
implementation|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java#L1394]
provides {{getPacketBufferSize()}} and {{getApplicationBufferSize()}} methods
to support runtime determination of required buffer sizes for encrypted and
decrypted records. The standard implementation calculates specific sizes based
on TLS protocol version.
The Bouncy Castle [SSLSession
implementation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L99]
uses a hard-coded value of 16384 for the Application Buffer Size and uses a
[worst-case scenario
calculation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L150]
for the Packet Buffer Size.
When running with the Bouncy Castle implementation, the NiFi {{PeerChannel}}
can produce encrypted packets that exceed the prepared buffer size, resulting
in a {{BufferOverflowException}}.
Instead of using the {{SSLSession}} Application Buffer Size to expand the
encrypted prepared buffer, the {{PeerChannel}} method should adjust the
prepared buffer based on size of the current destination buffer. This approach
should ensure correct behavior regardless of the TLS Security Provider
implementation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
