Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-900

HTTP2 issue - Inbound closed before receiving peer's close_notify: possible truncation attack?

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • 1.4.4.Final
    • Core, SSL
    • None
    • Hide

      1. Open any page on https e.g. https://localhost:9443/system/console/httpservice
      2. See protocol information in Chrome developer tool : it shows h2 as protocol
      3. Close browser
      4. Exception occurs in server logs.

      Show
      1. Open any page on https e.g. https://localhost:9443/system/console/httpservice 2. See protocol information in Chrome developer tool : it shows h2 as protocol 3. Close browser 4. Exception occurs in server logs.

    Description

      I have enabled HTTP2 with self signed certificate and getting exceptions when closing browser(Firefox/Chrome both on MacOS Sierra) and sometime(intermittently) stopping server.

      Exception while closing Chrome

      2016-11-17_11:23:49.558 [XNIO-1 I/O-6] DEBUG io.undertow.request.io - UT005013: An IOException occurred
      java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
      at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:614)
      at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:710)
      at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
      at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:201)
      at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:369)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:102)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:923)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:904)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1128)
      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
      at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
      at io.undertow.protocols.ssl.ALPNHackSSLEngine.closeInbound(ALPNHackSSLEngine.java:279)
      at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:612)
      ... 15 common frames omitted

      Exception while closing Firefox

      2016-11-17_11:33:08.641 [XNIO-1 I/O-6] DEBUG io.undertow.request - Closing HTTP2 channel to /0:0:0:0:0:0:0:1:50942 due to broken read side
      java.io.IOException: Connection reset by peer
      at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
      at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
      at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
      at sun.nio.ch.IOUtil.read(IOUtil.java:192)
      at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
      at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:289)
      at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:700)
      at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
      at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:201)
      at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:369)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:102)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:923)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:904)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1128)
      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      2016-11-17_11:33:08.642 [XNIO-1 I/O-6] DEBUG io.undertow.request - Closing HTTP2 channel to /0:0:0:0:0:0:0:1:50942 due to broken write side
      java.nio.channels.ClosedChannelException: null
      at io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:377)
      at io.undertow.conduits.IdleTimeoutConduit.write(IdleTimeoutConduit.java:129)
      at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.flushSenders(AbstractFramedChannel.java:637)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.flush(AbstractFramedChannel.java:718)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.queueFrame(AbstractFramedChannel.java:711)
      at io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.queueFinalFrame(AbstractFramedStreamSinkChannel.java:256)
      at io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.shutdownWrites(AbstractFramedStreamSinkChannel.java:241)
      at io.undertow.protocols.http2.Http2Channel.sendGoAway(Http2Channel.java:704)
      at io.undertow.protocols.http2.Http2Channel.handleBrokenSourceChannel(Http2Channel.java:544)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.markReadsBroken(AbstractFramedChannel.java:820)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:475)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:102)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:923)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:904)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1128)
      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      2016-11-17_11:33:08.643 [XNIO-1 I/O-6] DEBUG io.undertow.request - Closing HTTP2 channel to /0:0:0:0:0:0:0:1:50942 due to broken write side
      java.nio.channels.ClosedChannelException: null
      at io.undertow.server.protocol.framed.AbstractFramedStreamSinkChannel.flush(AbstractFramedStreamSinkChannel.java:345)
      at io.undertow.protocols.http2.Http2Channel.sendGoAway(Http2Channel.java:705)
      at io.undertow.protocols.http2.Http2Channel.handleBrokenSourceChannel(Http2Channel.java:544)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.markReadsBroken(AbstractFramedChannel.java:820)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:475)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:102)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:923)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:904)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1128)
      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      2016-11-17_11:33:08.643 [XNIO-1 I/O-6] DEBUG io.undertow.request.io - UT005013: An IOException occurred
      java.io.IOException: Connection reset by peer
      at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
      at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
      at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
      at sun.nio.ch.IOUtil.read(IOUtil.java:192)
      at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
      at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:289)
      at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:700)
      at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
      at io.undertow.conduits.IdleTimeoutConduit.read(IdleTimeoutConduit.java:201)
      at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
      at io.undertow.server.protocol.framed.AbstractFramedChannel.receive(AbstractFramedChannel.java:369)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:102)
      at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:923)
      at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:904)
      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1128)
      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)

      Please let me know if you need more information.

      Attachments

        Activity

          People

            sdouglas1@redhat.com Stuart Douglas
            rakeshk15 Rakesh Kumar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: