[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE

2017-06-19 Thread Emmanuel Lecharny (JIRA) 

[ 
https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16053654#comment-16053654
 ] 

Emmanuel Lecharny commented on DIRMINA-1067:


You could also use a tool like {{wireshark}} to analyse what PDU are exchanged 
between the client and the server, as nothing is encrypted before a late stage 
in the TLS protocol. Another option would be to start both the client and the 
server using {{-Djavax.net.debug=all}} to get some logs explaining what's going 
on on both side.

> checkClientTrusted() invoked just once on IBM JRE
> -
>
> Key: DIRMINA-1067
> URL: https://issues.apache.org/jira/browse/DIRMINA-1067
> Project: MINA
>  Issue Type: Bug
>  Components: Core
>Affects Versions: 2.0.16
>Reporter: Peter Palaga
>
> When we set up a test in which a client connects to the server three times 
> using TLS with a client cert, then on OracleJDK and OpenJDK the 
> {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
>  String)}} method is invoked three times, while on IBM JDK, the same method 
> is invoked only once. 
> I kindly ask for an explanation why this happens. I am not an expert in TLS 
> and therefore I am not able to tell whether this is a bug in Mina, any of the 
> JDKs, both or none.
> Steps to reproduce: 
> (1) Prepare
> {code}
> git fetch https://github.com/ppalaga/mina.git  
> refs/heads/DIRMINA-1067:DIRMINA-1067
> git checkout DIRMINA-1067
> mvn clean install -DskipTests
> {code}
> (2) Test with Oracle JDK or OpenJDK which both work as expected.
> {code}
> export JAVA_HOME=/path/to/OracleJDK # change this
> $JAVA_HOME/bin/java -version
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> mvn test -Dtest=SslClientCertTest
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - 
> in org.apache.mina.filter.ssl.SslClientCertTest
> {code}
> Note that {{Adding cert ...}} appears three times in the log
> (3) Test with IBM JDK
> {code}
> export JAVA_HOME=/path/to/IBMJDK
> $JAVA_HOME/bin/java -version
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 
> 20160915_318796 (JIT enabled, AOT enabled)
> J9VM - R28_Java8_SR3_20160915_0912_B318796
> JIT  - tr.r14.java.green_20160818_122998
> GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
> J9CL - 20160915_318796)
> JCL - 20160914_01 based on Oracle jdk8u101-b13
> mvn surefire:test -Dtest=SslClientCertTest 
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< 
> FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
> testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 
> 5.412 sec  <<< FAILURE!
> java.lang.AssertionError: expected:<3> but was:<1>
> {code}
> Expected: {{testClientCerts}} should pass
> Actual: {{testClientCerts}} fails
> Background: I took ApacheDS to check that our LDAP client code in WildFly is 
> sending the client certs properly, but the results on Oracle vs IBM were 
> inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 
> does basically the same thing as the reproducer of the current issue 
> https://github.com/apache/mina/pull/12



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE

2017-06-09 Thread Emmanuel Lecharny (JIRA) 

[ 
https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16045355#comment-16045355
 ] 

Emmanuel Lecharny commented on DIRMINA-1067:


The thing is that you call 3 times the {{connectAndSend}} method. If you call 
it 4 times, the certificate is checked 4 times (I did the test).

IMO, the IBM JDK should cache the result of the certificate check, thus 
avoiding doing it again when it receives the exact same certificate another 
time, something the Oracle JDK does not do. In any case, I don't think there is 
a problem in MINA, as we are dealing with a brand new connection everytime 
(beside teh obvious cost of checking the same certificate over and over)...

> checkClientTrusted() invoked just once on IBM JRE
> -
>
> Key: DIRMINA-1067
> URL: https://issues.apache.org/jira/browse/DIRMINA-1067
> Project: MINA
>  Issue Type: Bug
>  Components: Core
>Affects Versions: 2.0.16
>Reporter: Peter Palaga
>
> When we set up a test in which a client connects to the server three times 
> using TLS with a client cert, then on OracleJDK and OpenJDK the 
> {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
>  String)}} method is invoked three times, while on IBM JDK, the same method 
> is invoked only once. 
> I kindly ask for an explanation why this happens. I am not an expert in TLS 
> and therefore I am not able to tell whether this is a bug in Mina, any of the 
> JDKs, both or none.
> Steps to reproduce: 
> (1) Prepare
> {code}
> git fetch https://github.com/ppalaga/mina.git  
> refs/heads/DIRMINA-1067:DIRMINA-1067
> git checkout DIRMINA-1067
> mvn clean install -DskipTests
> {code}
> (2) Test with Oracle JDK or OpenJDK which both work as expected.
> {code}
> export JAVA_HOME=/path/to/OracleJDK # change this
> $JAVA_HOME/bin/java -version
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> mvn test -Dtest=SslClientCertTest
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - 
> in org.apache.mina.filter.ssl.SslClientCertTest
> {code}
> Note that {{Adding cert ...}} appears three times in the log
> (3) Test with IBM JDK
> {code}
> export JAVA_HOME=/path/to/IBMJDK
> $JAVA_HOME/bin/java -version
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 
> 20160915_318796 (JIT enabled, AOT enabled)
> J9VM - R28_Java8_SR3_20160915_0912_B318796
> JIT  - tr.r14.java.green_20160818_122998
> GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
> J9CL - 20160915_318796)
> JCL - 20160914_01 based on Oracle jdk8u101-b13
> mvn surefire:test -Dtest=SslClientCertTest 
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< 
> FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
> testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 
> 5.412 sec  <<< FAILURE!
> java.lang.AssertionError: expected:<3> but was:<1>
> {code}
> Expected: {{testClientCerts}} should pass
> Actual: {{testClientCerts}} fails
> Background: I took ApacheDS to check that our LDAP client code in WildFly is 
> sending the client certs properly, but the results on Oracle vs IBM were 
> inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 
> does basically the same thing as the reproducer of the current issue 
> https://github.com/apache/mina/pull/12



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE

2017-06-05 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16037476#comment-16037476
 ] 

ASF GitHub Bot commented on DIRMINA-1067:
-

GitHub user ppalaga opened a pull request:

https://github.com/apache/mina/pull/12

A reproducer for DIRMINA-1067 checkClientTrusted() invoked just once on IBM 
JRE



You can merge this pull request into a Git repository by running:

$ git pull https://github.com/ppalaga/mina DIRMINA-1067

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/mina/pull/12.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #12


commit 1223863fdcba6848db3ee9f2e381f45df75ef999
Author: Emmanuel Lécharny 
Date:   2014-09-05T18:16:24Z

Release the In and Out net buffer when we get a SSLException
(DIRMINA-968). Note : we don't have a test case to reproduce the issue,
so it's a kind of blind attempt to solve it.

commit e0da8d7fdecf9d412063089b860a960caa0795bf
Author: Emmanuel Lécharny 
Date:   2014-09-06T20:21:46Z

Fix for DIRMINA-629 : used a lock around all the methods to avoid
concurrent issues. Removed the AtomicXXX which are not anymore useful.

commit 5ffd8c02a8ffcb4671d3db80598a851143f79d6f
Author: Emmanuel Lécharny 
Date:   2014-09-06T21:04:04Z

Added some information to the error message when we try to bind
(socketAddress) See DIRMINA-825

commit 67240409a2537972d6998f26ed83d99265a6de09
Author: Emmanuel Lécharny 
Date:   2014-09-07T05:01:23Z

Had to intialize the cause outside of the constructor to please Java 5
(no constructor with the message and the cause in Java5)

commit de58078ce2139cffbec84da63b5030e77e592dac
Author: Emmanuel Lécharny 
Date:   2014-09-07T06:32:23Z

o Added a thread to cleanup the expired sessions
o Used ConcurrentHshMap instead of SynchronizedMap
o Added a lock to be sure we don't have concurrent access to the map
(it's needed even if the map is protected against concurrent access, as
we update the map in different places)

This filter is an example of what should *not* be accepted in out code
base...

commit faa8e58e11a3fa50e5169f6f9c1119d275199fec
Author: Emmanuel Lécharny 
Date:   2014-09-07T07:48:42Z

Accept addresses like 0.0.0.0 or :: (IPV4 and IPV6)in the inSubnet()
method (see DIRMINA-773)

commit 9d7d823edacede56813674b94cba2ae65977426f
Author: Emmanuel Lécharny 
Date:   2014-09-07T12:22:06Z

o Added some info when a IOException occurs (DIRMINA-825)
o Close the channel when we get an IOException (DIRMINA-928)

commit 3852d253911a7ad05a230e27debf4b4bd56d
Author: Jeff MAURY 
Date:   2014-09-07T15:23:53Z

Added a test for DIRMINA-777

commit 9645bc04739faa55f1aae396fb42d5221f5efddd
Author: Jeff MAURY 
Date:   2014-09-07T16:28:46Z

Backporting DIRMINA-931 to 2.0

commit ccbf33f9457bd7ecc3376928ee8bdf8687afa09d
Author: Jeff MAURY 
Date:   2014-09-07T16:38:53Z

Add Informational status codes

commit 81f55c8f6de1a73c2f999fd4cf20546fd54c09a0
Author: Emmanuel Lécharny 
Date:   2014-09-07T19:35:31Z

Moved the increaseWrittenMessages method to the TailFilter (See
DIRMINA-631)

commit 1781aab8d06a1b60e7e90386dd9aa1dee816a4d2
Author: Emmanuel Lécharny 
Date:   2014-09-08T08:18:14Z

Avoided to loop from 1 to 1024, as we will never run this test under a
priviledged user.

commit 3cf5bcdc800db329400193f24afa0613b7d3178e
Author: Emmanuel Lécharny 
Date:   2014-09-08T08:42:05Z

Added the supported ciphers in the SSLHandler (see DIRMINA-760)

commit d500b2e9727675abe9c325da7587b20dcaf95890
Author: Emmanuel Lécharny 
Date:   2014-09-08T10:28:23Z

Sadly, the getSupportedSSLParameters() method is not available in Java
5. Used getServerSocketFactory().getSupportedCipherSuites() instead.

commit 478a8a87de9128bdbbc6d38c8b320d769f5d1441
Author: Emmanuel Lécharny 
Date:   2014-09-08T12:13:09Z

Called the statistic updateThroughput metho din the TailFilter, so that
the user don't have to do it. See DIRMINA-967

commit 5955d7281936d97f5ca39d9619692f05e48140d9
Author: Emmanuel Lécharny 
Date:   2014-09-08T15:18:47Z

Added a destroy(session), as suggested in DIRMINA-942

commit 3ebfb8c09444ce5dc7cd68d673df7c7f11f38503
Author: Emmanuel Lécharny 
Date:   2014-09-09T05:33:40Z

Printed out the sent message (we were getting an empty byte before).
That will fix DIRMINA-833

commit