Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10483

HTTP2 via JSSE and wildfly ALPN hack ssl engine is broken on Solaris 11

    XMLWordPrintable

Details

    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Hide
      1. unzip EAP and start ./standalone.sh
      2. perform https request using HTTP2 protocol: 
        curl -v -k https://localhost:8443 >/dev/null --http2
      Show
      unzip EAP and start ./standalone.sh perform https request using HTTP2 protocol: curl -v -k https: //localhost:8443 >/dev/ null --http2

    Description

      HTTP2 support on Solaris 11 via our ALPN hack engine seems to be broken, see:

      curl cmd and output
      $ curl -v -k https://localhost:8443 >/dev/null --http2
* Rebuilt URL to: https://localhost:8888/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8888 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* ALPN, server accepted to use h2
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=localhost
* 	start date: Apr 21 07:46:04 2017 GMT
* 	expire date: Apr 19 07:46:04 2027 GMT
* 	common name: localhost
* 	issuer: CN=localhost
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d98b073d80)
> GET / HTTP/1.1
> Host: localhost:8888
> User-Agent: curl/7.51.0
> Accept: */*
> 
* Unexpected EOF
* Curl_http_done: called premature == 1
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (56) Unexpected EOF

      in the server.log, I can see following exception:

      server.log
      05:20:08,565 ERROR [org.xnio.listener] (default I/O-5) XNIO001007: A channel event listener threw an exception: java.security.ProviderException: Could not determine buffer size
        at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
        at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
        at javax.crypto.Cipher.doFinal(Cipher.java:2460)
        at sun.security.ssl.CipherBox.decrypt(CipherBox.java:535)
        at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
        at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
        at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:137)
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:730)
        at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
        at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:202)
        at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
        at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:368)
        at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:106)
        at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:57)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:931)
        at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:912)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1129)
        at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:168)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:590)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:470)
Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 11 bytes long. Got: 2
        at com.oracle.security.ucrypto.NativeGCMCipher.engineUpdate(NativeGCMCipher.java:293)
        at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:828)
        ... 25 more

      When I use --http1.1 instead, then there is no problem (well, obviously because ALPN is not utilized). Also I don't see similar problem on any other platform even not on Solaris 10.

      Attachments

        Issue Links

          is blocked by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) WFCORE-2723 Add abililty to remove providers

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10845 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta23

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11343 AuditLogToTLSSyslogTestCase stuck on Solaris 10 servers

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11402 LDAP tests fails on Solaris 10 machines

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: