[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE
[ https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16053654#comment-16053654 ] Emmanuel Lecharny commented on DIRMINA-1067: You could also use a tool like {{wireshark}} to analyse what PDU are exchanged between the client and the server, as nothing is encrypted before a late stage in the TLS protocol. Another option would be to start both the client and the server using {{-Djavax.net.debug=all}} to get some logs explaining what's going on on both side. > checkClientTrusted() invoked just once on IBM JRE > - > > Key: DIRMINA-1067 > URL: https://issues.apache.org/jira/browse/DIRMINA-1067 > Project: MINA > Issue Type: Bug > Components: Core >Affects Versions: 2.0.16 >Reporter: Peter Palaga > > When we set up a test in which a client connects to the server three times > using TLS with a client cert, then on OracleJDK and OpenJDK the > {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[], > String)}} method is invoked three times, while on IBM JDK, the same method > is invoked only once. > I kindly ask for an explanation why this happens. I am not an expert in TLS > and therefore I am not able to tell whether this is a bug in Mina, any of the > JDKs, both or none. > Steps to reproduce: > (1) Prepare > {code} > git fetch https://github.com/ppalaga/mina.git > refs/heads/DIRMINA-1067:DIRMINA-1067 > git checkout DIRMINA-1067 > mvn clean install -DskipTests > {code} > (2) Test with Oracle JDK or OpenJDK which both work as expected. > {code} > export JAVA_HOME=/path/to/OracleJDK # change this > $JAVA_HOME/bin/java -version > java version "1.8.0_121" > Java(TM) SE Runtime Environment (build 1.8.0_121-b13) > Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode) > mvn test -Dtest=SslClientCertTest > ... > Running org.apache.mina.filter.ssl.SslClientCertTest > [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing > certs > [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - > in org.apache.mina.filter.ssl.SslClientCertTest > {code} > Note that {{Adding cert ...}} appears three times in the log > (3) Test with IBM JDK > {code} > export JAVA_HOME=/path/to/IBMJDK > $JAVA_HOME/bin/java -version > java version "1.8.0" > Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12)) > IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References > 20160915_318796 (JIT enabled, AOT enabled) > J9VM - R28_Java8_SR3_20160915_0912_B318796 > JIT - tr.r14.java.green_20160818_122998 > GC - R28_Java8_SR3_20160915_0912_B318796_CMPRSS > J9CL - 20160915_318796) > JCL - 20160914_01 based on Oracle jdk8u101-b13 > mvn surefire:test -Dtest=SslClientCertTest > ... > Running org.apache.mina.filter.ssl.SslClientCertTest > [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing > certs > [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< > FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest > testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest) Time elapsed: > 5.412 sec <<< FAILURE! > java.lang.AssertionError: expected:<3> but was:<1> > {code} > Expected: {{testClientCerts}} should pass > Actual: {{testClientCerts}} fails > Background: I took ApacheDS to check that our LDAP client code in WildFly is > sending the client certs properly, but the results on Oracle vs IBM were > inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 > does basically the same thing as the reproducer of the current issue > https://github.com/apache/mina/pull/12 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE
[ https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16045355#comment-16045355 ] Emmanuel Lecharny commented on DIRMINA-1067: The thing is that you call 3 times the {{connectAndSend}} method. If you call it 4 times, the certificate is checked 4 times (I did the test). IMO, the IBM JDK should cache the result of the certificate check, thus avoiding doing it again when it receives the exact same certificate another time, something the Oracle JDK does not do. In any case, I don't think there is a problem in MINA, as we are dealing with a brand new connection everytime (beside teh obvious cost of checking the same certificate over and over)... > checkClientTrusted() invoked just once on IBM JRE > - > > Key: DIRMINA-1067 > URL: https://issues.apache.org/jira/browse/DIRMINA-1067 > Project: MINA > Issue Type: Bug > Components: Core >Affects Versions: 2.0.16 >Reporter: Peter Palaga > > When we set up a test in which a client connects to the server three times > using TLS with a client cert, then on OracleJDK and OpenJDK the > {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[], > String)}} method is invoked three times, while on IBM JDK, the same method > is invoked only once. > I kindly ask for an explanation why this happens. I am not an expert in TLS > and therefore I am not able to tell whether this is a bug in Mina, any of the > JDKs, both or none. > Steps to reproduce: > (1) Prepare > {code} > git fetch https://github.com/ppalaga/mina.git > refs/heads/DIRMINA-1067:DIRMINA-1067 > git checkout DIRMINA-1067 > mvn clean install -DskipTests > {code} > (2) Test with Oracle JDK or OpenJDK which both work as expected. > {code} > export JAVA_HOME=/path/to/OracleJDK # change this > $JAVA_HOME/bin/java -version > java version "1.8.0_121" > Java(TM) SE Runtime Environment (build 1.8.0_121-b13) > Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode) > mvn test -Dtest=SslClientCertTest > ... > Running org.apache.mina.filter.ssl.SslClientCertTest > [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing > certs > [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - > in org.apache.mina.filter.ssl.SslClientCertTest > {code} > Note that {{Adding cert ...}} appears three times in the log > (3) Test with IBM JDK > {code} > export JAVA_HOME=/path/to/IBMJDK > $JAVA_HOME/bin/java -version > java version "1.8.0" > Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12)) > IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References > 20160915_318796 (JIT enabled, AOT enabled) > J9VM - R28_Java8_SR3_20160915_0912_B318796 > JIT - tr.r14.java.green_20160818_122998 > GC - R28_Java8_SR3_20160915_0912_B318796_CMPRSS > J9CL - 20160915_318796) > JCL - 20160914_01 based on Oracle jdk8u101-b13 > mvn surefire:test -Dtest=SslClientCertTest > ... > Running org.apache.mina.filter.ssl.SslClientCertTest > [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing > certs > [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< > FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest > testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest) Time elapsed: > 5.412 sec <<< FAILURE! > java.lang.AssertionError: expected:<3> but was:<1> > {code} > Expected: {{testClientCerts}} should pass > Actual: {{testClientCerts}} fails > Background: I took ApacheDS to check that our LDAP client code in WildFly is > sending the client certs properly, but the results on Oracle vs IBM were > inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 > does basically the same thing as the reproducer of the current issue > https://github.com/apache/mina/pull/12 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE
[ https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16037476#comment-16037476 ] ASF GitHub Bot commented on DIRMINA-1067: - GitHub user ppalaga opened a pull request: https://github.com/apache/mina/pull/12 A reproducer for DIRMINA-1067 checkClientTrusted() invoked just once on IBM JRE You can merge this pull request into a Git repository by running: $ git pull https://github.com/ppalaga/mina DIRMINA-1067 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/mina/pull/12.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #12 commit 1223863fdcba6848db3ee9f2e381f45df75ef999 Author: Emmanuel LécharnyDate: 2014-09-05T18:16:24Z Release the In and Out net buffer when we get a SSLException (DIRMINA-968). Note : we don't have a test case to reproduce the issue, so it's a kind of blind attempt to solve it. commit e0da8d7fdecf9d412063089b860a960caa0795bf Author: Emmanuel Lécharny Date: 2014-09-06T20:21:46Z Fix for DIRMINA-629 : used a lock around all the methods to avoid concurrent issues. Removed the AtomicXXX which are not anymore useful. commit 5ffd8c02a8ffcb4671d3db80598a851143f79d6f Author: Emmanuel Lécharny Date: 2014-09-06T21:04:04Z Added some information to the error message when we try to bind (socketAddress) See DIRMINA-825 commit 67240409a2537972d6998f26ed83d99265a6de09 Author: Emmanuel Lécharny Date: 2014-09-07T05:01:23Z Had to intialize the cause outside of the constructor to please Java 5 (no constructor with the message and the cause in Java5) commit de58078ce2139cffbec84da63b5030e77e592dac Author: Emmanuel Lécharny Date: 2014-09-07T06:32:23Z o Added a thread to cleanup the expired sessions o Used ConcurrentHshMap instead of SynchronizedMap o Added a lock to be sure we don't have concurrent access to the map (it's needed even if the map is protected against concurrent access, as we update the map in different places) This filter is an example of what should *not* be accepted in out code base... commit faa8e58e11a3fa50e5169f6f9c1119d275199fec Author: Emmanuel Lécharny Date: 2014-09-07T07:48:42Z Accept addresses like 0.0.0.0 or :: (IPV4 and IPV6)in the inSubnet() method (see DIRMINA-773) commit 9d7d823edacede56813674b94cba2ae65977426f Author: Emmanuel Lécharny Date: 2014-09-07T12:22:06Z o Added some info when a IOException occurs (DIRMINA-825) o Close the channel when we get an IOException (DIRMINA-928) commit 3852d253911a7ad05a230e27debf4b4bd56d Author: Jeff MAURY Date: 2014-09-07T15:23:53Z Added a test for DIRMINA-777 commit 9645bc04739faa55f1aae396fb42d5221f5efddd Author: Jeff MAURY Date: 2014-09-07T16:28:46Z Backporting DIRMINA-931 to 2.0 commit ccbf33f9457bd7ecc3376928ee8bdf8687afa09d Author: Jeff MAURY Date: 2014-09-07T16:38:53Z Add Informational status codes commit 81f55c8f6de1a73c2f999fd4cf20546fd54c09a0 Author: Emmanuel Lécharny Date: 2014-09-07T19:35:31Z Moved the increaseWrittenMessages method to the TailFilter (See DIRMINA-631) commit 1781aab8d06a1b60e7e90386dd9aa1dee816a4d2 Author: Emmanuel Lécharny Date: 2014-09-08T08:18:14Z Avoided to loop from 1 to 1024, as we will never run this test under a priviledged user. commit 3cf5bcdc800db329400193f24afa0613b7d3178e Author: Emmanuel Lécharny Date: 2014-09-08T08:42:05Z Added the supported ciphers in the SSLHandler (see DIRMINA-760) commit d500b2e9727675abe9c325da7587b20dcaf95890 Author: Emmanuel Lécharny Date: 2014-09-08T10:28:23Z Sadly, the getSupportedSSLParameters() method is not available in Java 5. Used getServerSocketFactory().getSupportedCipherSuites() instead. commit 478a8a87de9128bdbbc6d38c8b320d769f5d1441 Author: Emmanuel Lécharny Date: 2014-09-08T12:13:09Z Called the statistic updateThroughput metho din the TailFilter, so that the user don't have to do it. See DIRMINA-967 commit 5955d7281936d97f5ca39d9619692f05e48140d9 Author: Emmanuel Lécharny Date: 2014-09-08T15:18:47Z Added a destroy(session), as suggested in DIRMINA-942 commit 3ebfb8c09444ce5dc7cd68d673df7c7f11f38503 Author: Emmanuel Lécharny Date: 2014-09-09T05:33:40Z Printed out the sent message (we were getting an empty byte before). That will fix DIRMINA-833 commit