Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blocking call during SSL handshake in WebFlux/ReactorNetty TcpServer #42

Closed
philsttr opened this issue Jul 24, 2019 · 8 comments
Closed

Blocking call during SSL handshake in WebFlux/ReactorNetty TcpServer #42

philsttr opened this issue Jul 24, 2019 · 8 comments
Labels
type/question Further information is requested

Comments

@philsttr
Copy link
Contributor

I enabled BlockHound on a spring boot 2.1.6, webflux, reactor netty server for which I want to run integration tests against. Unfortunately, I immediately ran into the blocking call below when connecting to it over SSL.

I honestly don't think there's anything that can be done to prevent that blocking call. (or is there?)

So, I need to configure a BlockHoundIntegration that allows this call. It seems like this would be a fairly frequently encountered use case, so it would be nice if the integration was automatically provided/discovered. Where should the integration be provided? BlockHound, reactor-netty? webflux? And which method would you recommend whitelisting?

2019-07-24 21:32:54.746 ERROR 96 --- [or-http-epoll-1] reactor.netty.tcp.TcpServer              : [id: 0xa2f9aafe, L:/127.0.0.1:46174 ! R:/127.0.0.1:34664] onUncaughtException(SimpleConnection{channel=[id: 0xa2f9aafe, L:/127.0.0.1:46174 ! R:/127.0.0.1:34664]})

java.lang.Error: Blocking call! java.io.FileInputStream#readBytes
	at reactor.blockhound.BlockHound$Builder.lambda$new$0(BlockHound.java:159)
	at reactor.blockhound.BlockHound$Builder.lambda$install$8(BlockHound.java:259)
	at reactor.blockhound.BlockHoundRuntime.checkBlocking(BlockHoundRuntime.java:43)
	at java.base/java.io.FileInputStream.readBytes(FileInputStream.java)
	at java.base/java.io.FileInputStream.read(FileInputStream.java:279)
	at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133)
	at java.base/sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
	at java.base/sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:526)
	at java.base/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:545)
	at java.base/sun.security.provider.NativePRNG.engineNextBytes(NativePRNG.java:220)
	at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:741)
	at java.base/sun.security.ssl.RandomCookie.<init>(RandomCookie.java:67)
	at java.base/sun.security.ssl.SessionId.<init>(SessionId.java:45)
	at java.base/sun.security.ssl.SSLSessionImpl.<init>(SSLSessionImpl.java:166)
	at java.base/sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:281)
	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
	at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1101)
	at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851)
	at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:810)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
	at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502)
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at java.base/java.lang.Thread.run(Thread.java:834)
@philsttr
Copy link
Contributor Author

Here's the integration I created to workaround the above error (and another one in netty) for now...

class NettyBlockHoundIntegration implements BlockHoundIntegration {

	@Override
	public void applyTo(BlockHound.Builder builder) {
		builder.allowBlockingCallsInside("sun.security.ssl.SSLHandshake", "consume")
				.allowBlockingCallsInside("io.netty.util.concurrent.GlobalEventExecutor", "addTask");
	}
}

Would still like to get this integration or something similar available "by default"

@bsideup
Copy link
Contributor

bsideup commented Jul 25, 2019

Hi @philsttr!

I submitted reactor/reactor-netty#750 some time ago.

I know that @violetagg did some fixes already. Perhaps we can continue the discussion there? We could whitelist them in reactor-netty's BlockHound integration if we decide to whitelist

@bsideup bsideup added the type/question Further information is requested label Jul 25, 2019
@violetagg
Copy link
Member

👍 we have already initial integration in Rector Netty 0.9.0.M2

@philsttr
Copy link
Contributor Author

Awesome!

Although, I didn't see an allowBlockingCallsInside that will allow the blocking call from the stacktrace in this issue description. Should I file an issue with reactor-netty?

@bsideup
Copy link
Contributor

bsideup commented Jul 25, 2019

I would say that it should be fixed. See this issue for a good investigation on the topic:
apache/openwhisk#2747

@urferr
Copy link

urferr commented Nov 21, 2019

Hi
i am using reactor-netty 0.9.1 and still get a blocking exception when calling another rest service using ssl:

Stack trace:
at reactor.blockhound.BlockHound$Builder.lambda$new$0(BlockHound.java:196)
at reactor.blockhound.BlockHound$Builder.lambda$install$6(BlockHound.java:318)
at reactor.blockhound.BlockHoundRuntime.checkBlocking(BlockHoundRuntime.java:46)
at java.base/java.io.FileInputStream.readBytes(FileInputStream.java)
at java.base/java.io.FileInputStream.read(FileInputStream.java:279)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133)
at java.base/sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
at java.base/sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:526)
at java.base/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:545)
at java.base/sun.security.provider.NativePRNG.engineNextBytes(NativePRNG.java:220)
at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:741)
at java.base/sun.security.ssl.RandomCookie.(RandomCookie.java:67)
at java.base/sun.security.ssl.ClientHello$ClientHelloMessage.(ClientHello.java:93)
at java.base/sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:639)
at java.base/sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at java.base/sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:104)
at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:228)
at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:103)
at io.netty.handler.ssl.SslHandler.handshake(SslHandler.java:1987)
at io.netty.handler.ssl.SslHandler.startHandshakeProcessing(SslHandler.java:1906)
at io.netty.handler.ssl.SslHandler.channelActive(SslHandler.java:2042)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:225)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:211)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:204)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:225)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:211)
at io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:907)
at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305)
at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:688)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:635)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:552)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514)
at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1050)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)

@bsideup
Copy link
Contributor

bsideup commented Nov 21, 2019

I believe this should be reported as an issue in reactor-netty:
https://github.com/reactor/reactor-netty/issues/new/choose

@philsttr
Copy link
Contributor Author

philsttr commented Dec 19, 2019
edited

@urferr reported this as reactor/reactor-netty#906

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@violetagg @bsideup @philsttr @urferr