javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify #531
Comments
|
You're not missing something. The What is the purpose of the |
|
Hello Benoit,
Yes, I have the same issue.
Without this class loader I can't catch server exception NotValidArgument
on client side. Each bundle has it's own class loader, so Ice runtime can't
unmarshal this exception. I was guided by
https://doc.zeroc.com/ice/3.7/language-mappings/java-mapping/custom-class-loaders
.
…On Tue, Sep 17, 2019 at 4:37 PM Benoit Foucher ***@***.***> wrote:
You're not missing something. The SSLException exception raised by
closeInbound should be catch by the catch(SSLException ex) block and the
fact that it is not catch indicates some sort of class loader issue. The
exception raised by the SSL layer was most likely loaded with a different
class loader.
What is the purpose of the IceRuntimeClassLoader in your client code? Do
you have the same issue if you don't set it?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4D4EWWRPAQHR2L2YCP3QKDMQNA5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD64RR7Y#issuecomment-532224255>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4DZ7LXWLBY3YVURFLLTQKDMQNANCNFSM4IXHB26A>
.
|
|
Ok I see, you have to use the OSGi bundle class loader. Note that I don't think you need to check for Regarding the |
|
I'm sorry but in OSGi I can ask only class loader of current bundle. I
can't ask SSLException.class.getClassLoader(). It will be null.
I can
try
{
_engine.closeInbound();
}
catch(SSLException ex)
{
//
// SSLEngine always raises an exception with this message:
//
// Inbound closed before receiving peer's close_notify:
possible truncation attack?
//
// We would probably need to wait for a response in
shutdown() to avoid this.
// For now, we'll ignore this exception.
//
//_instance.logger().error("IceSSL: error during close\n" +
ex.getMessage());
System.err.println(FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().getName()
+ ": " +
FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().toString());
}
catch(Exception ex)
{
System.err.println(FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().getName()
+ ": " +
FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().toString());
}
This code doesn't catch anything in the block
catch(Exception ex)
{
System.err.println(FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().getName()
+ ": " +
FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().toString());
}
Output from
catch(SSLException ex)
{
//
// SSLEngine always raises an exception with this message:
//
// Inbound closed before receiving peer's close_notify:
possible truncation attack?
//
// We would probably need to wait for a response in
shutdown() to avoid this.
// For now, we'll ignore this exception.
//
//_instance.logger().error("IceSSL: error during close\n" +
ex.getMessage());
System.err.println(FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().getName()
+ ": " +
FrameworkUtil.getBundle(getClass()).getClass().getClassLoader().toString());
}
is: null: aQute.launcher.pre.EmbeddedLauncher$Loader@4f023edb
…On Tue, Sep 17, 2019 at 7:49 PM Benoit Foucher ***@***.***> wrote:
Ok I see, you have to use the OSGi bundle class loader. Note that I don't
think you need to check for Ice.Default.Package however... your class
loader should just call bundle.loadClass(name) without worrying about the
default package.
Regarding the SSLException, you need to figure out why the exception
isn't caught. My suggestion would be to change the Ice code to print out
the class loader names for the raised exception and for the SSLException
class. See the code below. I'm hopping this will give us some clues on the
class loaders used for SSLException.
try
{
_engine.closeInbound();
}
catch(SSLException ex)
{
//
// SSLEngine always raises an exception with this message:
//
// Inbound closed before receiving peer's close_notify: possible truncation attack?
//
// We would probably need to wait for a response in shutdown() to avoid this.
// For now, we'll ignore this exception.
//
//_instance.logger().error("IceSSL: error during close\n" + ex.getMessage());
}
catch(Exception ex)
{
System.err.println(ex.getClass().getClassLoader().getClass().getName() + ": " + ex.getClass().getClassLoader().toString());
System.err.println(SSLException.class.getClassLoader().getClass().getName() + ": " + SSLException.class.getClassLoader().toString());
}
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4DYANCILUBQE2Y74BADQKEDANA5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD65FI7Q#issuecomment-532305022>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4DZVMHDPUXVM7PPQ7WTQKEDANANCNFSM4IXHB26A>
.
|
I'm will be surprised that this doesn't work it will break lot of code, did you actually test it? |
|
Yes.
…On Tue, Sep 17, 2019 at 10:10 PM Jose ***@***.***> wrote:
I can't ask SSLException.class.getClassLoader(). It will be null.
I'm will be surprised that this doesn't work it will break lot of code,
did you actually test it?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4DZXSFKMNCDQEFEFYMTQKETR7A5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD65SYJA#issuecomment-532360228>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4D4WZ3EJNAIFLI5NBRTQKETR7ANCNFSM4IXHB26A>
.
|
|
It would be very good if you solve this problem. ZeroC is excellent
framework.
Maybe this will help
https://blog.osgi.org/2011/05/what-you-should-know-about-class.html
On Tue, Sep 17, 2019 at 10:25 PM Andrei Kabanov <akabanov57@gmail.com>
wrote:
… Yes.
On Tue, Sep 17, 2019 at 10:10 PM Jose ***@***.***> wrote:
> I can't ask SSLException.class.getClassLoader(). It will be null.
>
> I'm will be surprised that this doesn't work it will break lot of code,
> did you actually test it?
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#531?email_source=notifications&email_token=ALHP4DZXSFKMNCDQEFEFYMTQKETR7A5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD65SYJA#issuecomment-532360228>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ALHP4D4WZ3EJNAIFLI5NBRTQKETR7ANCNFSM4IXHB26A>
> .
>
|
|
He the root of the problem seems to be that Maybe you need to import |
|
Yes. It is there. javax.net.ssl and javax.security.auth.x500 were imported.
…On Tue, Sep 17, 2019 at 11:32 PM Jose ***@***.***> wrote:
He the root of the problem seems to be that javax.net.ssl.SSLException
ends up being loaded from different class loaders, Ice doesn't have any
control of how this class is loaded inside the OSGI container. I will
expect javax.net.ssl.* will be always load from the system.
Maybe you need to import javax.net.ssl in your bundle MANIFEST?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4D3E4UGL2RX5GYRUVL3QKE5F7A5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD65Z7MA#issuecomment-532389808>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4D72FOQOD5ET73JPTT3QKE5F7ANCNFSM4IXHB26A>
.
|
|
This is my MANIFEST.MF
Manifest-Version: 1.0
Automatic-Module-Name: com.zeroc.ice
Bnd-LastModified: 1568748696116
Bundle-ContactAddress: akabanov57@gmail.com
Bundle-Description: Internet Communication Engine
Bundle-DocURL: www.zeroc.com
Bundle-License: https://github.com/zeroc-ice/ice/blob/3.7/ICE_LICENSE
Bundle-ManifestVersion: 2
Bundle-Name: ZeroC ICE
Bundle-SymbolicName: com.zeroc.ice
Bundle-Vendor: Andrei Kabanov
Bundle-Version: 3.7.3
Created-By: 12.0.2 (Oracle Corporation)
Export-Package: com.zeroc.Ice;version="3.7.3";uses:="com.zeroc.Ice.Ins
trumentation,com.zeroc.IceInternal",com.zeroc.Ice.Instrumentation;ver
sion="3.7.3";uses:="com.zeroc.Ice",com.zeroc.IceInternal;version="3.7
.3";uses:="com.zeroc.Ice,com.zeroc.Ice.Instrumentation,com.zeroc.IceM
X,com.zeroc.IceUtilInternal",com.zeroc.IceUtilInternal;version="3.7.3
";uses:="com.zeroc.Ice",com.zeroc.IceMX;version="3.7.3";uses:="com.ze
roc.Ice,com.zeroc.Ice.Instrumentation,com.zeroc.IceInternal,com.zeroc
.IceUtilInternal"
Import-Package: com.zeroc.Ice;version="[3.7,4)",com.zeroc.Ice.Instrume
ntation;version="[3.7,4)",com.zeroc.IceInternal;version="[3.7,4)",com
.zeroc.IceMX;version="[3.7,4)",com.zeroc.IceUtilInternal;version="[3.
7,4)",javax.net.ssl,javax.security.auth.x500,org.osgi.framework;versi
on="[1.9,2)"
Private-Package: com.zeroc.IceSSL
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=12))"
Tool: Bnd-4.4.0.201909161416-SNAPSHOT
On Tue, Sep 17, 2019 at 11:37 PM Andrei Kabanov <akabanov57@gmail.com>
wrote:
… Yes. It is there. javax.net.ssl and javax.security.auth.x500 were imported.
On Tue, Sep 17, 2019 at 11:32 PM Jose ***@***.***> wrote:
> He the root of the problem seems to be that javax.net.ssl.SSLException
> ends up being loaded from different class loaders, Ice doesn't have any
> control of how this class is loaded inside the OSGI container. I will
> expect javax.net.ssl.* will be always load from the system.
>
> Maybe you need to import javax.net.ssl in your bundle MANIFEST?
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#531?email_source=notifications&email_token=ALHP4D3E4UGL2RX5GYRUVL3QKE5F7A5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD65Z7MA#issuecomment-532389808>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ALHP4D72FOQOD5ET73JPTT3QKE5F7ANCNFSM4IXHB26A>
> .
>
|
|
shouldn't Keep in mind that the class loader set during Ice initilialization will be used by Ice to load plug-ins too, so in this case |
|
I exported the com.zeroc.IceSSL package, and removed my class loader. But
SSLException still there. When I stop client exception is on server side
and vice versa when I stop server exception is on client side.
…On Tue, Sep 17, 2019 at 11:55 PM Jose ***@***.***> wrote:
shouldn't Private-Package: com.zeroc.IceSSL be just a normal
import/export-package? I'm not very familiar with OSGI and it is not clear
to me why javax.net.ssl.SSLException is loaded from two different class
loaders.
Keep in mind that the class loader set during Ice initilialization will be
used by Ice to load plug-ins too, so in this case IceSSL plug-in will be
load using your custom class loader.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4DYMRCXABUWSBRYK3ULQKE737A5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD654BTY#issuecomment-532398287>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4D6FYEK4HFWYITFLXALQKE737ANCNFSM4IXHB26A>
.
|
|
I haven't been able to reproduce the problem using your test case. I used the latest Eclipse and OpenJDK 12 on macOS. Here's a patch with my project modifications to get things to run: patch.txt. I verified using a breakpoint with the debugger that the exception was caught when I terminate either the client or service. Did you try to catch the exception in the debugger by adding a |
|
Open bndtools perspective in Eclipse.
Go to org.home.hello.run project. There are 3 file with bndrun extension.
Open remote.hello.service.bndrun.
Click resolve, if OK, click run osgi.
Open remote.hello.client.bndrun.
Click resolve, if OK click run osgi.
Now you can see two Eclipse console. One for service, one for client.
Select for client.
Type lb
You will see something like this:
g! lb
START LEVEL 1
ID|State |Level|Name
0|Active | 0|System Bundle (6.0.3)|6.0.3
1|Active | 1|ZeroC ICE (3.7.3)|3.7.3
2|Active | 1|Apache Felix Configuration Admin Service
(1.9.16)|1.9.16
3|Active | 1|Apache Felix File Install (3.6.4)|3.6.4
4|Active | 1|Apache Felix Gogo Command (1.1.0)|1.1.0
5|Active | 1|Apache Felix Gogo Runtime (1.1.2)|1.1.2
6|Active | 1|Apache Felix Gogo Shell (1.1.2)|1.1.2
7|Active | 1|Apache Felix Declarative Services (2.1.16)|2.1.16
8|Active | 1|Demo Hello API (1.0.0)|1.0.0
9|Active | 1|Hello Client (1.0.0)|1.0.0
10|Active | 1|ICE API (1.0.0)|1.0.0
11|Resolved | 1|Remote Hello Client (1.0.0)|1.0.0
12|Active | 1|org.osgi:org.osgi.util.function
(1.1.0.201802012106)|1.1.0.201802012106
13|Active | 1|org.osgi:org.osgi.util.promise
(1.1.1.201810101357)|1.1.1.201810101357
14|Active | 1|OPS4J Pax Logging - API (1.11.0)|1.11.0
15|Active | 1|OPS4J Pax Logging - Log4Jv1 implementation
(1.11.0)|1.11.0
Find bundle with name Remote Hello Client. In my case it has number 11.
Type "stop bundle_number" (stop 11)
Now open service console.
You will see
"throwable" : {
javax.net.ssl.SSLException: closing inbound before receiving peer's
close_notify
Similar bug https://bugs.openjdk.java.net/browse/JDK-8215102
…On Wed, Sep 18, 2019 at 5:30 PM Benoit Foucher ***@***.***> wrote:
I haven't been able to reproduce the problem using your test case. I used
the latest Eclipse and OpenJDK 12 on macOS. Here's a patch with my project
modifications to get things to run: patch.txt
<https://github.com/zeroc-ice/ice/files/3626916/patch.txt>. I verified
using a breakpoint with the debugger that the exception was caught when I
terminate either the client or service.
Did you try to catch the exception in the debugger by adding a
catch(Exception) handler in close?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4D5BLBQQBA3PCIH2MF3QKI3RDA5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7AIQFY#issuecomment-532711447>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4D7VRD6GD22RJYGVUC3QKI3RDANCNFSM4IXHB26A>
.
|
|
Why are you concerned by the fact that SSL is raising this exception? The SSL debug tracing indeed shows this exception but as far as I can tell it's correctly caught and handled by Ice (it's ignored). We thought the problem was that the exception wasn't caught by the IceSSL code. After running your test case, following your steps, I can confirm I see the exception in the SSL debug output and that the exception is caught and ignored so it shouldn't be a concern to you. In any case we'll consider removing this call since it likely fails most of the time and it's not very useful since the socket is closed shortly after. |
|
OK.
Thank you.
I hope not in vain took your time.
…On Wed, Sep 18, 2019 at 6:27 PM Benoit Foucher ***@***.***> wrote:
Why are you concerned by the fact that SSL is raising this exception? The
SSL debug tracing indeed shows this exception but as far as I can tell it's
correctly caught and handled by Ice (it's ignored).
We thought the problem was that the exception wasn't caught by the IceSSL
code. After running your test case, following your steps, I can confirm I
see the exception in the SSL debug output and that the exception is caught
and ignored so it shouldn't be a concern to you.
In any case we'll consider removing this call since it likely fails most
of the time and it's not very useful since the socket is closed shortly
after.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#531?email_source=notifications&email_token=ALHP4D3LLNCZYDJRYEZVJTDQKJCFRA5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7AO2JA#issuecomment-532737316>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ALHP4D246DB4VIT65MJQ65DQKJCFRANCNFSM4IXHB26A>
.
|
|
I'll take some more of your time.
Maybe you consider OSGi support? IceGrid, IceStorm fit very well in OSGi
component model.
…On Wed, Sep 18, 2019 at 6:36 PM Andrei Kabanov ***@***.***> wrote:
OK.
Thank you.
I hope not in vain took your time.
On Wed, Sep 18, 2019 at 6:27 PM Benoit Foucher ***@***.***>
wrote:
> Why are you concerned by the fact that SSL is raising this exception? The
> SSL debug tracing indeed shows this exception but as far as I can tell it's
> correctly caught and handled by Ice (it's ignored).
>
> We thought the problem was that the exception wasn't caught by the IceSSL
> code. After running your test case, following your steps, I can confirm I
> see the exception in the SSL debug output and that the exception is caught
> and ignored so it shouldn't be a concern to you.
>
> In any case we'll consider removing this call since it likely fails most
> of the time and it's not very useful since the socket is closed shortly
> after.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#531?email_source=notifications&email_token=ALHP4D3LLNCZYDJRYEZVJTDQKJCFRA5CNFSM4IXHB26KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7AO2JA#issuecomment-532737316>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ALHP4D246DB4VIT65MJQ65DQKJCFRANCNFSM4IXHB26A>
> .
>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I try to use Ice with ssl support in OSGi container. I use OpenJDK 12.0.2, Apache Felix, Ice for java.
When I stop server on client side I get an exception:
and vice versa when I stop client on server side I get the same exception.
If we look at line 147 in the TrancieverI.java file, we will see the following code:
In the comments to the SSLEngine.closeInbound() we can read:
"If the application initiated the closing process by calling SSLEngine.closeOutbound(), under some circumstances it is not required that the initiator wait for the peer's corresponding close message. In such cases, this method need not be called."On line 113 of the TrancieverI.java file we find this call (_engine.closeOutbound()).When I commented out the code above, my server and client began to work without exception.
If you need more detail you can see my project https://github.com/akabanov57/zeroc-ice-osgi
Is this a bug or am I missing something?
Thank you.
The text was updated successfully, but these errors were encountered: