Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.5 backport] Fix TLS 1.3 issues on JDKs which support it #29121 #29148

Merged
merged 3 commits into from
May 29, 2020
Merged

[2.5 backport] Fix TLS 1.3 issues on JDKs which support it #29121 #29148

merged 3 commits into from
May 29, 2020

Conversation

jrudolph
Copy link
Member

For simplicity, I backported all of the latest version of TlsSpec and not just the changes from #29121.

@jrudolph
stream: run TlsSpec for TLSv1.3 on jdk >= 11
b380249 
Session renegotiation tests are disabled because TLS 1.3 does not
support renegotiation any more.

(cherry picked from commit e524a0d)

I mostly copied over the newest version of TlsSpec from master without
doing a proper conflict resolution that does mimimal things. Hopefully,
we have only picked up some more recent fixes and not some unwanted
stuff.
@jrudolph
stream: fix half-closed TLS connection spin-loop
aca6bf5 
Refs akka#29110

TLSActor could get caught in a spin-loop on connection termination
because there was an implicit assumption that when inbound is closed
(peer has sent `close_notify`), this SSLEngine would also automatically
send a `close_notify` and close the connection.

Therefore, it would stay in `flushOutbound` pumping in a loop.

This is not true anymore with TLS 1.3, more accurately it can be
configured using `-Djdk.tls.acknowledgeCloseNotify` which is `false` by
default leading to half-open connections.

The solution is to not support half-open TLS connections for now and
consider a connection closed as soon as `isInboundClosed` and there's no
outstanding data.

(To support half-open connections, this fix would have to be reverted
and `flushOutbound` fixed accordingly.)

(cherry picked from commit 9beb88f)
@jrudolph
stream: avoid getting stuck when doUnwrap returns NEED_WRAP with outs…
c03ec3a 
…tanding data

Refs akka#29111

This seems only to happen with TLS 1.3. In that case, remaining data in
`transportInBuffer` was left there instead of putting it back onto the
chopping block.

Then `doWrap` was run but `doUnwrap` was never called again because only
the chopping block was checked for outstanding data but not the buffer.

(cherry picked from commit 87c5844)
@akka-ci akka-ci added the validating PR is currently being validated by Jenkins label May 28, 2020
@jrudolph jrudolph added backport and removed validating PR is currently being validated by Jenkins labels May 28, 2020
@jrudolph jrudolph added this to the 2.5.32 milestone May 28, 2020
This was referenced May 28, 2020
Closed
Closed
@akka-ci akka-ci added the tested PR that was successfully built and tested by Jenkins label May 28, 2020
@akka-ci
Copy link

akka-ci commented May 28, 2020

Test PASSed.

ennru
ennru approved these changes May 29, 2020
View reviewed changes
Copy link
Member

@ennru ennru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@raboof raboof merged commit b1271a9 into akka:release-2.5 May 29, 2020
This was referenced Jun 24, 2020
Open
Open
@jrudolph jrudolph deleted the backport-29121 branch July 21, 2020 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raboof raboof raboof approved these changes

@ennru ennru ennru approved these changes

Assignees
No one assigned
Labels
backport t:stream tested PR that was successfully built and tested by Jenkins
Projects
None yet
Milestone
2.5.32
Development

Successfully merging this pull request may close these issues.
4 participants
@jrudolph @akka-ci @raboof @ennru