Uploaded image for project: 'XNIO'
  1. XNIO
  2. XNIO-327

Increase bufferSize for org.xnio.ssl.JsseXnioSsl.bufferPool to avoid issues with the socket buffer being too small when the BouncyCastle JSSE provider is used

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 3.6.5.Final, 3.7.0.Final
    • None
    • None
    • None

    Description

      When attempting to connect to WildFly via the CLI with the remote+https protocol when using the BouncyCastle JSSE provider, a ConnectException occurs (see ELY-1624). It turns out that the underlying issue occurs in the org.xnio.ssl.JsseSslConduitEngine constructor:

      JsseSslConduitEngine(final JsseSslStreamConnection connection, final StreamSinkConduit sinkConduit, final StreamSourceConduit sourceConduit, final SSLEngine engine, final Pool<ByteBuffer> socketBufferPool, final Pool<ByteBuffer> applicationBufferPool) {
...
    if (receiveBuffer.getResource().capacity() < packetBufferSize || sendBuffer.getResource().capacity() < packetBufferSize) {
        throw msg.socketBufferTooSmall();
    }
...
}

      In particular, when using the BC JSSE provider, SSLSession.getPacketBufferSize() returns a larger value (20491) than when using the Sun JSSE provider (16921). The values of receiveBuffer and sendBuffer above are set using the org.xnio.ssl.JsseXnioSsl.bufferPool variable which sets the bufferSize to 17408. Since this value is greater than SSLSession.getPacketBufferSize() when the Sun JSSE provider is used, no exception occurs. However, since 17408 < 20491, an IllegalArgumentException occurs when the BC JSSE provider is used.

      If we increase the bufferSize that gets set by org.xnio.ssl.JsseXnioSsl.bufferPool, the above code executes successfully and it is possible to successfully connect to WildFly via the CLI using the remote+https protocol when the BC JSSE provider is used.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. ELY-1624 BC FIPS with CLI: Could not connect to remote+https://127.0.0.1:9993. The connection timed out

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1624 BC FIPS with CLI: Could not connect to remote+https://127.0.0.1:9993. The connection timed out

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is incorporated by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-4027 Upgrade xnio to 3.6.5.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: