Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.1.0.GA
Affects Version/s: 7.1.0.DR16
Component/s: Undertow
Labels:
- eap7.1-risks-mitigation

Affects:

Documentation (Ref Guide, User Guide, etc.), Release Notes
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.2.0.GA
Steps to Reproduce:
Hide

unzip EAP and start ./standalone.sh

perform https request using HTTP2 protocol:

curl -v -k https://localhost:8443 >/dev/null --http2
Show
unzip EAP and start ./standalone.sh perform https request using HTTP2 protocol: curl -v -k https: //localhost:8443 >/dev/ null --http2

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

HTTP2 support on Solaris 11 via our ALPN hack engine seems to be broken, see:

curl cmd and output

$ curl -v -k https://localhost:8443 >/dev/null --http2
* Rebuilt URL to: https://localhost:8888/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8888 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* ALPN, server accepted to use h2
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=localhost
* 	start date: Apr 21 07:46:04 2017 GMT
* 	expire date: Apr 19 07:46:04 2027 GMT
* 	common name: localhost
* 	issuer: CN=localhost
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d98b073d80)
> GET / HTTP/1.1
> Host: localhost:8888
> User-Agent: curl/7.51.0
> Accept: */*
> 
* Unexpected EOF
* Curl_http_done: called premature == 1
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (56) Unexpected EOF

in the server.log, I can see following exception:

server.log

05:20:08,565 ERROR [org.xnio.listener] (default I/O-5) XNIO001007: A channel event listener threw an exception: java.security.ProviderException: Could not determine buffer size
        at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
        at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
        at javax.crypto.Cipher.doFinal(Cipher.java:2460)
        at sun.security.ssl.CipherBox.decrypt(CipherBox.java:535)
        at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
        at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
        at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:137)
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:730)
        at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
        at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:202)
        at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
        at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:368)
        at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:106)
        at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:57)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:931)
        at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:912)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1129)
        at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:168)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:590)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:470)
Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 11 bytes long. Got: 2
        at com.oracle.security.ucrypto.NativeGCMCipher.engineUpdate(NativeGCMCipher.java:293)
        at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:828)
        ... 25 more

When I use --http1.1 instead, then there is no problem (well, obviously because ALPN is not utilized). Also I don't see similar problem on any other platform even not on Solaris 10.

is blocked by

WFCORE-2723 Add abililty to remove providers

Resolved

is incorporated by

JBEAP-10845 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta23

Closed

is related to

JBEAP-11343 AuditLogToTLSSyslogTestCase stuck on Solaris 10 servers

Closed

JBEAP-11402 LDAP tests fails on Solaris 10 machines

Closed

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates