That's fine,you can use this code for 2.0.x -> 2.2.1 documentation.
------------------------------------------
M.V.S.Kishore
91-9886412814
On Mon, 17 Apr 2023 at 20:46, Emmanuel Lécharny <elecha...@gmail.com> wrote:
> Great!
>
> If you don't mind, I'd like to use this piece of code to document the
> 2.0 -> 2.2 mogration.
>
> Just let me know if it's OK with you !
>
> Thanks!
>
> On 17/04/2023 13:04, Kishore Mokkarala wrote:
> > Thank you all for the help.Here is my SSL implementation for making it
> work
> > with 2.2.1 for passing PEER ADDRESS (SNI host name) in the SSL engine.
> >
> > public class CustomSslFilter {
> > public CustomSslFilter(SSLContext sslContext) {
> > super(sslContext);
> > }
> > //Override CreateEngine
> > protected SSLEngine createEngine(IoSession session, InetSocketAddress
> > addr) {
> > //Add your SNI host name and port in the IOSession
> > SNIHostNames = (String)session.getAttribute( SNIHostNames );
> > PortNumber = (String)session.getAttribute( PortNumber );
> > InetSocketAddress peer =
> > InetSocketAddress.createUnresolved(SNIHostNames,PortNumber);
> > SSLEngine sslEngine = (addr != null) ?
> > sslContext.createSSLEngine(peer.getHostString(), peer.getPort())
> > : sslContext.createSSLEngine();
> >
> > // Always start with WANT, which will be squashed by NEED if
> NEED is
> > true.
> > // Actually, it makes not a lot of sense to select NEED and WANT.
> > NEED >> WANT...
> > if (wantClientAuth) {
> > sslEngine.setWantClientAuth(true);
> > }
> >
> > if (needClientAuth) {
> > sslEngine.setNeedClientAuth(true);
> > }
> >
> > if (enabledCipherSuites != null) {
> > sslEngine.setEnabledCipherSuites(enabledCipherSuites);
> > }
> >
> > if (enabledProtocols != null) {
> > sslEngine.setEnabledProtocols(enabledProtocols);
> > }
> >
> > sslEngine.setUseClientMode(!session.isServer());
> >
> > return sslEngine;
> > }
> > }
> >
> >
> > IoSessionInitializer<ConnectFuture> initializer = new
> > IoSessionInitializer<ConnectFuture>() {
> >
> > @Override
> > public void initializeSession(IoSession session,
> ConnectFuture
> > future) {
> >
> > session.setAttribute( SNIHostNames , "example.com");
> > session.setAttribute( PortNumber , 8443);
> > }
> > };
> >
> > try {
> > NioSocketConnector connector = getConnector();
> > ioSession = connector.connect(address,
> > initializer).awaitUninterruptibly().getSession();
> > } catch (RuntimeIoException eio) {
> > initializationException = eio;
> > }
> >
> > ------------------------------------------
> > M.V.S.Kishore
> > 91-9886412814
> >
> >
> > On Fri, 14 Apr 2023 at 18:43, Jonathan Valliere <john...@apache.org>
> wrote:
> >
> >> Looking at the code for your existing filter it appears like you’re just
> >> trying to create the SSLEngine so it can be reused for subsequent
> >> connections by passing in the IP address and Port?
> >>
> >> This is already a feature in the new filter.
> >>
> >>
> https://github.com/apache/mina/blob/a8dc2c56ec43ac67d64d0dab39a65958579debbb/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java#L281
> >>
> >> If you want to perform any customization during the SSL Engine setup,
> just
> >> override createEngine
> >>
> >>
> >> On Fri, Apr 14, 2023 at 7:23 AM Kishore Mokkarala <
> kishore....@gmail.com>
> >> wrote:
> >>
> >>> Currently we are using the following custom SSL filter for passing SNI
> >> host
> >>> name. For doing this we are using PEER_ADDRESS.
> >>> This was available in apache mina 2.0.21 SslHandler.java,but this
> >> attribute
> >>> is not available in 2.2.10.
> >>> This PEER_ADDRESS is *eid.17.cid.0* different from the actual IP
> address
> >> to
> >>> which it connects ,but this information is needed for the destination
> >>> server.
> >>>
> >>> *Existing implementation : *
> >>>
> >>> SslFilter sslFilter;
> >>> try {
> >>> SSLContext sslContext = javax.net.ssl.SSLContext.getDefault();
> >>> * sslFilter = new CustomSslFilter(sslContext); //passing *
> *PEER_ADDRESS
> >>> in overridden onPreAdd*.
> >>> sslFilter.setUseClientMode(true);
> >>> connector.getFilterChain().addFirst("sslFilter", sslFilter);
> >>> } catch (Exception e) {
> >>> e.printStackTrace();
> >>> LOG.error("Exception during creating SSL context..." +
> >>> XError.getStackTrace(e));
> >>> }
> >>> connector.setHandler(ioHandler);
> >>>
> >>> *CustomSslFilter.java:*
> >>>
> >>> public class CustomSslFilter extends SslFilter
> >>> {
> >>>
> >>> public CustomSslFilter(SSLContext sslContext) {
> >>> super(sslContext, true);
> >>> }
> >>>
> >>> @Override
> >>> public void onPreAdd(IoFilterChain parent, String name,
> >>> NextFilter nextFilter) throws SSLException {
> >>> // Check that we don't have a SSL filter already present in
> the
> >>> chain
> >>> if (parent.contains(SslFilter.class)) {
> >>> String msg = "Only one SSL filter is permitted in a
> chain.";
> >>> LOGGER.error(msg);
> >>> throw new IllegalStateException(msg);
> >>> }
> >>> IoSession session = parent.getSession();
> >>> Provider provider =
> >>> (Provider)session.getAttribute(G10MinaClient.PROVIDER_KEY);
> >>> InetSocketAddress probeAddress =
> >>> InetSocketAddress.createUnresolved(
> >>> *eid.17.cid.0*,Integer.parseInt(provider.getProbe().getPortNumber()));
> >>> session.setAttribute(PEER_ADDRESS, probeAddress);
> >>> super.onPreAdd(parent, name, nextFilter);
> >>> }
> >>> }
> >>>
> >>> We are planning to migrate from 2.0.21 to 2.2.10. Here is the changes I
> >> did
> >>> but it is not working.Please do the needful.
> >>> *Question:*
> >>> How to pass this sni host name for creating SSLEngine?
> >>>
> >>> *Here is the new implementation changed as per new Mina 2.2.10 API:*
> >>> try{
> >>> sslContext = javax.net.ssl.SSLContext.getDefault();
> >>> SNIServerName sniHostName = new SNIHostName("*eid.17.cid.0*");
> >>> List<SNIServerName> sniHostNames = new ArrayList<>();
> >>> sniHostNames.add(sniHostName);
> >>> SSLParameters sslParams = sslContext.getDefaultSSLParameters();
> >>> sslParams.setServerNames(sniHostNames);
> >>> sslFilter = new SslFilter(sslContext);
> >>> //sslFilter.setUseClientMode(true); //This is not required in 2.2.1
> hence
> >>> commented.
> >>> connector.getFilterChain().addFirst("sslFilter", sslFilter);
> >>> } catch (Exception e) {
> >>> e.printStackTrace();
> >>> LOG.error("Exception during creating SSL context..." +
> >>> XError.getStackTrace(e));
> >>> }
> >>> connector.setHandler(ioHandler);
> >>>
> >>> Here is the Apache mina 2.0.21 with PEER_ADDRESS in SslHandler.java
> code
> >> :
> >>>
> >>> /* no qualifier */void init() throws SSLException {
> >>> if (sslEngine != null) {
> >>> // We already have a SSL engine created, no need to
> create a
> >>> new one
> >>> return;
> >>> }
> >>> if (LOGGER.isDebugEnabled()) {
> >>> LOGGER.debug("{} Initializing the SSL Handler",
> >>> sslFilter.getSessionInfo(session));
> >>> }
> >>> InetSocketAddress peer = (InetSocketAddress)
> >>> session.getAttribute(SslFilter.PEER_ADDRESS);
> >>> // Create the SSL engine here
> >>> if (peer == null) {
> >>> sslEngine = sslFilter.sslContext.createSSLEngine();
> >>> } else {
> >>> sslEngine =
> >>> sslFilter.sslContext.createSSLEngine(peer.getHostName(),
> peer.getPort());
> >>> }
> >>> // Initialize the engine in client mode if necessary
> >>> sslEngine.setUseClientMode(sslFilter.isUseClientMode());
> >>>
> >>>
> >>> Regards,
> >>> ------------------------------------------
> >>> M.V.S.Kishore
> >>> 91-9886412814
> >>>
> >>>
> >>> On Wed, 12 Apr 2023 at 23:08, Emmanuel Lécharny <elecha...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> On 12/04/2023 18:00, Kishore Mokkarala wrote:
> >>>>> Thanks Emmanuel for the quick response.I have few more questions on
> >>> the
> >>>>> upgrade.Please do the needful.
> >>>>> If i want to upgrade from Apache mina 2.0.21 to mina 2.2.1 what all
> >>> steps
> >>>>> do i need to follow ?
> >>>>
> >>>> There are two pages that explains the diffence between 2.0 and 2.1,
> and
> >>>> 2. and 2.2:
> >>>> * https://mina.apache.org/mina-project/2.1-vs-2.0.html
> >>>> * https://mina.apache.org/mina-project/2.2-vs-2.1.html
> >>>>
> >>>> The 2.1 vs 2.0 difference is mainly about the way we detect a secured
> >>>> session. It's pretty trivial.
> >>>>
> >>>> The 2.2. vs 2.1 migration is a bit more complicated, *if* you were
> >> using
> >>>> startTLS.
> >>>>
> >>>> Otherwise, it's pretty straightforward.
> >>>>
> >>>> ALso note that teh SSL handler has been completeley reworked in 2.2.
> >>>>
> >>>>> Is it just a jar file change in the classpath or do i need to do
> >> any
> >>>> more
> >>>>> changes ?
> >>>>
> >>>> It should be just about changing the jar.
> >>>>
> >>>>
> >>>>> Also we are also using https for communication ? in this case what
> >> all
> >>>>> changes are needed ?
> >>>>
> >>>> Nothing, AFAICT.
> >>>>
> >>>>> I have seen there is a change the way we pass the SNI host name in
> >>> 2.0.21
> >>>>> vs 2.2.1 ?
> >>>>
> >>>> Hmmm, not that I remeber. Do you have any pointer?
> >>>>
> >>>>> First of all is it recommended to migrate from 2.0.21 to mina 2.2.1
> >> ?
> >>>>
> >>>> Oh yes! Simply because the SSL rewrite was necessary, also because 2.2
> >>>> branch is clearly the one we maintain.
> >>>>
> >>>>> will the state machine work without doing any changes ?
> >>>>
> >>>> It should not have changed.
> >>>>
> >>>> Hope it helps.
> >>>>
> >>>>>
> >>>>> Regards,
> >>>>> ------------------------------------------
> >>>>> M.V.S.Kishore
> >>>>>
> >>>>>
> >>>>> On Mon, 10 Apr 2023 at 18:42, Emmanuel Lécharny <elecha...@gmail.com
> >>>
> >>>> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> Mina 2.0 branch is pretty old (5 years) and we have made significant
> >>>>>> changes in the 2.1 and more important the 2.2 branches. You should
> >>>>>> seriously consider migrating to 2.2. That being said:
> >>>>>>
> >>>>>> - 40 seconds to do whatever that was taking a few milliseconds
> >> snounds
> >>>>>> like a major regression, aka bug.
> >>>>>> - If you weren't using the HTTP part of MINA, migrating to 2.0.23
> >>> makes
> >>>>>> little sense. The CVE only impacts the HTTP decoder. In other words,
> >>> if
> >>>>>> it's working, don't break it...
> >>>>>> - We don't have enough context to tell you what could go wrong in
> >> your
> >>>>>> code. If you provide some piece of code we can run, we can
> >>> investigate,
> >>>>>> otherwise it's like shouting in the dark... Typically, we have no
> >> clue
> >>>>>> about what the gpbMessageFilter does.
> >>>>>>
> >>>>>> On 10/04/2023 13:37, Kishore Mokkarala wrote:
> >>>>>>> Hi,
> >>>>>>> There was a security vulnerability in mina 2.0.21,So we were
> >> migrated
> >>>>>>> from apache mina 2.0.21 to 2.0.23,locally in the dev environment
> >>>>>> everything
> >>>>>>> looks good, but in production we are facing connection timeout
> >> issue
> >>>> with
> >>>>>>> the mina version 2.0.23.
> >>>>>>> For connection set up it was taking 10-20 milliseconds (less than a
> >>>>>> second)
> >>>>>>> with the old version (2.0.21).
> >>>>>>> With the new version even after 40 seconds connection was timed
> >> out.
> >>>>>>>
> >>>>>>> We use the same NioSocketConnector instance for opening 100
> >>>>>>> parallel connections.
> >>>>>>>
> >>>>>>> *Question:*
> >>>>>>> *My query is why it is taking more time more than 40 seconds for
> >>>> opening
> >>>>>>> the socket with the new version ?*
> >>>>>>>
> >>>>>>> We are not using https communication.
> >>>>>>>
> >>>>>>> *Could you please suggest a work around.*
> >>>>>>>
> >>>>>>> What's happening in the below code is mina is time out after 40
> >>> seconds
> >>>>>> and
> >>>>>>> also IO session has been created using state machine in separate
> >>>>>>> threads,both are running in two parallel threads,This issue is not
> >>> seen
> >>>>>>> with the mina 2.0.21 version.
> >>>>>>>
> >>>>>>> *Here is the code snippet.*
> >>>>>>>
> >>>>>>> private static final ExecutorFilter executorFilter = new
> >>>>>>> ExecutorFilter(16,32);
> >>>>>>>
> >>>>>>> StateMachine stateMachine =
> >>>>>>> StateMachineFactory.getInstance(IoHandlerTransition.class).create(
> >>>>>>> G10MinaClient.CONNECTED, new
> >>>> G10MinaClient(processor));
> >>>>>>>
> >>>>>>> IoHandler ioHandler = new
> >>>>>>> StateMachineProxyBuilder().setStateContextLookup(
> >>>>>>> new IoSessionStateContextLookup(new
> >>>>>> StateContextFactory() {
> >>>>>>> @Override
> >>>>>>> public StateContext create() {
> >>>>>>> final G10StateContext stateContext = new
> >>>>>>> G10StateContext();
> >>>>>>> stateContext.setStartedTime(new Date());
> >>>>>>> return stateContext;
> >>>>>>> }
> >>>>>>> })).create(IoHandler.class, stateMachine);
> >>>>>>>
> >>>>>>> NioSocketConnector connector = new NioSocketConnector();
> >>>>>>> connector.getFilterChain().addLast("LoggingFilter",
> >>>>>>> G10CaptureService.loggingFilter);
> >>>>>>> connector.getFilterChain().addLast("codecFilter",
> >>>>>>> G10CaptureService.probeCodecFilter);
> >>>>>>> connector.getFilterChain().addLast("executorFilter",
> >>>>>>> G10CaptureService.executorFilter);
> >>>>>>> connector.getFilterChain().addLast("gpbMessageFilter",
> >>>>>>> G10CaptureService.gpbMessageFilter);
> >>>>>>> connector.getFilterChain().addLast("keepAliveFilter",
> >>>>>>> G10CaptureService.keepAliveFilter);
> >>>>>>> connector.setHandler(ioHandler);
> >>>>>>> ConnectFuture primaryConnectFuture =
> >>> connector.connect(primaryAddress,
> >>>>>>> initializer);
> >>>>>>> if (!primaryConnectFuture.awaitUninterruptibly(MINA_CLOSE_TIMEOUT))
> >>>>>>> //MINA_CLOSE_TIMEOUT is 40 seconds
> >>>>>>> {
> >>>>>>>
> >>>>>>> if (handleIOException(searchExpression,
> >>>>>>> captureHandler)) {
> >>>>>>> return;
> >>>>>>> }
> >>>>>>> LOG.info("{} Apache mina connection setup
> >> time
> >>>> out
> >>>>>>> happend.",
> >>>>>>> handleConnectionFailed(primaryAddress,
> >>>>>> captureHandler,
> >>>>>>> "Primary IP connection timeout");
> >>>>>>> return;
> >>>>>>> }
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> M.V.S.Kishore
> >>>>>>> 91-9886412814
> >>>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> >>>>>> T. +33 (0)4 89 97 36 50
> >>>>>> P. +33 (0)6 08 33 32 61
> >>>>>> emmanuel.lecha...@busit.com https://www.busit.com/
> >>>>>>
> >>>>>>
> >> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
> >>>>>> For additional commands, e-mail: users-h...@mina.apache.org
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> >>>> T. +33 (0)4 89 97 36 50
> >>>> P. +33 (0)6 08 33 32 61
> >>>> emmanuel.lecha...@busit.com https://www.busit.com/
> >>>>
> >>>
> >>
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecha...@busit.com https://www.busit.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org
> For additional commands, e-mail: users-h...@mina.apache.org
>
>
