Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10483

HTTP2 via JSSE and wildfly ALPN hack ssl engine is broken on Solaris 11

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide
      1. unzip EAP and start ./standalone.sh
      2. perform https request using HTTP2 protocol:
        curl -v -k https://localhost:8443 >/dev/null --http2
        
      Show
      unzip EAP and start ./standalone.sh perform https request using HTTP2 protocol: curl -v -k https: //localhost:8443 >/dev/ null --http2
    • Affects:
      Documentation (Ref Guide, User Guide, etc.), Release Notes

      Description

      HTTP2 support on Solaris 11 via our ALPN hack engine seems to be broken, see:

      curl cmd and output
      $ curl -v -k https://localhost:8443 >/dev/null --http2
      * Rebuilt URL to: https://localhost:8888/
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
        0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
      * TCP_NODELAY set
      * Connected to localhost (127.0.0.1) port 8888 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * skipping SSL peer certificate verification
      * ALPN, server accepted to use h2
      * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      * Server certificate:
      * 	subject: CN=localhost
      * 	start date: Apr 21 07:46:04 2017 GMT
      * 	expire date: Apr 19 07:46:04 2027 GMT
      * 	common name: localhost
      * 	issuer: CN=localhost
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0x55d98b073d80)
      > GET / HTTP/1.1
      > Host: localhost:8888
      > User-Agent: curl/7.51.0
      > Accept: */*
      > 
      * Unexpected EOF
      * Curl_http_done: called premature == 1
        0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
      * Closing connection 0
      curl: (56) Unexpected EOF
      

      in the server.log, I can see following exception:

      server.log
      05:20:08,565 ERROR [org.xnio.listener] (default I/O-5) XNIO001007: A channel event listener threw an exception: java.security.ProviderException: Could not determine buffer size
              at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
              at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
              at javax.crypto.Cipher.doFinal(Cipher.java:2460)
              at sun.security.ssl.CipherBox.decrypt(CipherBox.java:535)
              at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
              at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974)
              at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
              at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
              at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
              at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:137)
              at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:730)
              at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
              at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:202)
              at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
              at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:368)
              at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:106)
              at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:57)
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
              at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:931)
              at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:912)
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
              at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
              at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1129)
              at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:168)
              at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:590)
              at org.xnio.nio.WorkerThread.run(WorkerThread.java:470)
      Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 11 bytes long. Got: 2
              at com.oracle.security.ucrypto.NativeGCMCipher.engineUpdate(NativeGCMCipher.java:293)
              at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:828)
              ... 25 more
      

      When I use --http1.1 instead, then there is no problem (well, obviously because ALPN is not utilized). Also I don't see similar problem on any other platform even not on Solaris 10.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  jstourac Jan Stourac
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: