-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
-
None
When attempting to connect to WildFly via the CLI with the remote+https protocol when using the BouncyCastle JSSE provider, a ConnectException occurs (see ELY-1624). It turns out that the underlying issue occurs in the org.xnio.ssl.JsseSslConduitEngine constructor:
JsseSslConduitEngine(final JsseSslStreamConnection connection, final StreamSinkConduit sinkConduit, final StreamSourceConduit sourceConduit, final SSLEngine engine, final Pool<ByteBuffer> socketBufferPool, final Pool<ByteBuffer> applicationBufferPool) { ... if (receiveBuffer.getResource().capacity() < packetBufferSize || sendBuffer.getResource().capacity() < packetBufferSize) { throw msg.socketBufferTooSmall(); } ... }
In particular, when using the BC JSSE provider, SSLSession.getPacketBufferSize() returns a larger value (20491) than when using the Sun JSSE provider (16921). The values of receiveBuffer and sendBuffer above are set using the org.xnio.ssl.JsseXnioSsl.bufferPool variable which sets the bufferSize to 17408. Since this value is greater than SSLSession.getPacketBufferSize() when the Sun JSSE provider is used, no exception occurs. However, since 17408 < 20491, an IllegalArgumentException occurs when the BC JSSE provider is used.
If we increase the bufferSize that gets set by org.xnio.ssl.JsseXnioSsl.bufferPool, the above code executes successfully and it is possible to successfully connect to WildFly via the CLI using the remote+https protocol when the BC JSSE provider is used.
- causes
-
ELY-1624 BC FIPS with CLI: Could not connect to remote+https://127.0.0.1:9993. The connection timed out
- Closed
- is duplicated by
-
ELY-1624 BC FIPS with CLI: Could not connect to remote+https://127.0.0.1:9993. The connection timed out
- Closed
- is incorporated by
-
WFCORE-4027 Upgrade xnio to 3.6.5.Final
- Resolved