Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10483

HTTP2 via JSSE and wildfly ALPN hack ssl engine is broken on Solaris 11

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 7.1.0.DR16
    • Fix Version/s: 7.1.0.GA
    • Component/s: Web (Undertow)
    • Environment:
    • Target Release:
    • Steps to Reproduce:
      Hide
      1. unzip EAP and start ./standalone.sh
      2. perform https request using HTTP2 protocol: 

        curl -v -k https://localhost:8443 >/dev/null --http2

      Show
      unzip EAP and start ./standalone.sh perform https request using HTTP2 protocol: curl -v -k https://localhost:8443 >/dev/null --http2
    • Affects:
      Documentation (Ref Guide, User Guide, etc.), Release Notes

      Description

      HTTP2 support on Solaris 11 via our ALPN hack engine seems to be broken, see:

      curl cmd and output

      		 
      $ curl -v -k https://localhost:8443 >/dev/null --http2
      		 
      * Rebuilt URL to: https://localhost:8888/
      		 
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
      		 
                                       Dload  Upload   Total   Spent    Left  Speed
      		 
        0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
      		 
      * TCP_NODELAY set
      		 
      * Connected to localhost (127.0.0.1) port 8888 (#0)
      		 
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      		 
      * skipping SSL peer certificate verification
      		 
      * ALPN, server accepted to use h2
      		 
      * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      		 
      * Server certificate:
      		 
      * 	subject: CN=localhost
      		 
      * 	start date: Apr 21 07:46:04 2017 GMT
      		 
      * 	expire date: Apr 19 07:46:04 2027 GMT
      		 
      * 	common name: localhost
      		 
      * 	issuer: CN=localhost
      		 
      * Using HTTP2, server supports multi-use
      		 
      * Connection state changed (HTTP/2 confirmed)
      		 
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      		 
      * Using Stream ID: 1 (easy handle 0x55d98b073d80)
      		 
      > GET / HTTP/1.1
      		 
      > Host: localhost:8888
      		 
      > User-Agent: curl/7.51.0
      		 
      > Accept: */*
      		 
      > 
      * Unexpected EOF
      		 
      * Curl_http_done: called premature == 1
      		 
        0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
      		 
      * Closing connection 0
      		 
      curl: (56) Unexpected EOF

      in the server.log, I can see following exception:

      server.log

      		 
      05:20:08,565 ERROR [org.xnio.listener] (default I/O-5) XNIO001007: A channel event listener threw an exception: java.security.ProviderException: Could not determine buffer size
      		 
              at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
      		 
              at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
      		 
              at javax.crypto.Cipher.doFinal(Cipher.java:2460)
      		 
              at sun.security.ssl.CipherBox.decrypt(CipherBox.java:535)
      		 
              at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
      		 
              at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974)
      		 
              at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
      		 
              at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
      		 
              at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
      		 
              at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:137)
      		 
              at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:730)
      		 
              at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
      		 
              at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:202)
      		 
              at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
      		 
              at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:368)
      		 
              at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:106)
      		 
              at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:57)
      		 
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      		 
              at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:931)
      		 
              at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:912)
      		 
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      		 
              at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      		 
              at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1129)
      		 
              at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:168)
      		 
              at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:590)
      		 
              at org.xnio.nio.WorkerThread.run(WorkerThread.java:470)
      		 
      Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 11 bytes long. Got: 2
      		 
              at com.oracle.security.ucrypto.NativeGCMCipher.engineUpdate(NativeGCMCipher.java:293)
      		 
              at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:828)
      		 
              ... 25 more

      When I use --http1.1 instead, then there is no problem (well, obviously because ALPN is not utilized). Also I don't see similar problem on any other platform even not on Solaris 10.

        Gliffy Diagrams

          Attachments

            Issue Links

            is blocked by

            Enhancement - An enhancement or refactoring of existing functionality WFCORE-2723 Add abililty to remove providers

            • Major - A request that should be considered seriously but is not a show stopper.
            • Resolved
            is incorporated by

            Component Upgrade - A task tracking an update to a bundled component JBEAP-10845 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta23

            • Major - A request that should be considered seriously but is not a show stopper.
            • Verified
            is related to

            Bug - A problem which impairs or prevents the functions of the product. JBEAP-11343 AuditLogToTLSSyslogTestCase stuck on Solaris 10 servers

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • New

            Bug - A problem which impairs or prevents the functions of the product. JBEAP-11402 LDAP tests fails on Solaris 10 machines

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • New

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  jstourac Jan Stourac
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: