OpenSslEngine fails the TLSv1.3 handshake in some configurations #13073
Milestone
Comments
|
The reproducer: |
|
Checking |
|
Alright ... I found the problem but I need to investigate why this happens in the first place. Stay tuned... |
This was referenced Jan 3, 2023
normanmaurer
added a commit
that referenced
this issue
Jan 4, 2023
…e SSL implementation Motivation: We didnt return the maximum size of SSL packet and tried to calculate it. This didnt work as SSL_max_seal_overhead(...) can only be used to calculate the maximum overhead for when encrypting ourself (and not the remote peer). Because of this we sometimes returned a smaller number then what is possible. This had the affect that when users did use getPacketSize() to size the ByteBuffer we could end up in a situation that would never produce a bug enough ByteBuffer and so never finish the handshake. This issue only accoured when users use the SSLEngine directly. When using our SslHandler we were not affected by this as we use a different approach there. Modifications: - Upgrade netty-tcnative to be able to reuse the the defined constant - Add unit test that did loop forever before this change Result: Fixes #13073
normanmaurer
added a commit
that referenced
this issue
Jan 9, 2023
…ve SSL implementation (#13095) Motivation: We didnt return the maximum size of SSL packet and tried to calculate it. This didnt work as SSL_max_seal_overhead(...) can only be used to calculate the maximum overhead for when encrypting ourself (and not the remote peer). Because of this we sometimes returned a smaller number then what is possible. This had the affect that when users did use getPacketSize() to size the ByteBuffer we could end up in a situation that would never produce a bug enough ByteBuffer and so never finish the handshake. This issue only accoured when users use the SSLEngine directly. When using our SslHandler we were not affected by this as we use a different approach there. Modifications: - Upgrade netty-tcnative to be able to reuse the the defined constant - Add unit test that did loop forever before this change Result: Fixes #13073
normanmaurer
added a commit
that referenced
this issue
Jan 9, 2023
…ve SSL implementation (#13095) Motivation: We didnt return the maximum size of SSL packet and tried to calculate it. This didnt work as SSL_max_seal_overhead(...) can only be used to calculate the maximum overhead for when encrypting ourself (and not the remote peer). Because of this we sometimes returned a smaller number then what is possible. This had the affect that when users did use getPacketSize() to size the ByteBuffer we could end up in a situation that would never produce a bug enough ByteBuffer and so never finish the handshake. This issue only accoured when users use the SSLEngine directly. When using our SslHandler we were not affected by this as we use a different approach there. Modifications: - Upgrade netty-tcnative to be able to reuse the the defined constant - Add unit test that did loop forever before this change Result: Fixes #13073
lhotari
added a commit
to lhotari/pulsar
that referenced
this issue
Feb 3, 2023
- Brings Netty Tcnative 2.0.56.Final - Also upgraded Netty's io_uring support to a compatible version Release notes: https://netty.io/news/2023/01/12/4-1-87-Final.html https://netty.io/news/2023/02/02/multiple_releases_incubator.html Some relevant Netty bug fixes: Improves compatibility with newer Linux distros: netty/netty#13112 TLS 1.3 handshake issue fix: netty/netty#13073 fixed by netty/netty#13095
4 tasks
lhotari
added a commit
to lhotari/bookkeeper
that referenced
this issue
Feb 3, 2023
- Brings Netty Tcnative 2.0.56.Final - Also upgraded Netty's io_uring support to a compatible version Release notes: https://netty.io/news/2023/01/12/4-1-87-Final.html https://netty.io/news/2023/02/02/multiple_releases_incubator.html Some relevant Netty bug fixes: Improves compatibility with newer Linux distros: netty/netty#13112 TLS 1.3 handshake issue fix: netty/netty#13073 fixed by netty/netty#13095
nicoloboschi
pushed a commit
to apache/bookkeeper
that referenced
this issue
Feb 10, 2023
- Brings Netty Tcnative 2.0.56.Final - Also upgraded Netty's io_uring support to a compatible version Release notes: https://netty.io/news/2023/01/12/4-1-87-Final.html https://netty.io/news/2023/02/02/multiple_releases_incubator.html Some relevant Netty bug fixes: Improves compatibility with newer Linux distros: netty/netty#13112 TLS 1.3 handshake issue fix: netty/netty#13073 fixed by netty/netty#13095
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected behavior
TLS handshake finishes successfully.
Actual behavior
OpenSSL / TLS 1.3 handshake fails to complete when mutual authentication is enabled, and the default
TrustManagerFactoryis used.With this configuration client's
SSLEnginereportsBUFFER_OVERFLOWfor theunwrap()operation andthe value of
SSLSession.getApllicationBufferSize()got increased.Even if we try to increase the application buffer size, there is a subsequent issue with the
BUFFER_UNDERFLOWfor thewrap()operation.Steps to reproduce
Minimal yet complete reproducer code (or URL to code)
https://github.com/kwart/test-app/tree/netty-tcnative-default-truststore-issue
Netty version
JVM version (e.g.
java -version)Tested with Java 8 and 11 (Azul Zulu).
OS version (e.g.
uname -a)Ubuntu 22.04, 5.15.0-56-generic, x86_64
The text was updated successfully, but these errors were encountered: