Vertx.3 does not consume events after SSL handshake

[Rohit Jaiswal]

Instead of seeing message signatures, this is seen in the vert.x log - 

DEBUG [vert.x-eventloop-thread-0] (SslHandler.java:1241) - [id: 0xc1e12c3f, /16.103.222.203:59184 => /16.103.221.38:4321] HANDSHAKEN: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

for a successful POST from the client.

We have SSL enabled, vertx is listening on 4321 and we are building and running with openjdk version "1.8.0_91" on Ubuntu 15.10

Any clues?

[Julien Viet]

Hi, can you provide a small program to reproduce this issue, so anyone can have a look at it ?

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/ee96b06e-9690-4a4b-8ae5-6bbab8ab8bd3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rohit Jaiswal]

Hi,
     Attached are the files. What i see is that one message is received but after that messages are not being consumed by the verticle.

     Also, to bring to your attention, this problem is not being faced when using Oracle JRE 8. It occurs only with OpenJRE 8.

Thanks,
Rohit

[Julien Viet]

can you provide something runnable like a Test or a Main under the form of a mini project and instructions to reproduce it ?

-- 
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.

To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/f6417ccf-7a12-443c-b270-096fd397e0b5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<JksConfiguration.java><Server.java>

[Rohit Jaiswal]

Hi,
         The attachement Server.java is the Main class, just compile them (JksConfiguration and Server) and run: vertx run io.vertx.example.core.http.https.Server to standup a vertx instance on 4321. Then, you may use a rest client to POST requests with SSL enabled to reproduce the problem.

Thanks,
Rohit

[Julien Viet]

Hi, 

I’m able to make it work using cURL but I need to disable client auth.

a complete solution would be better as your program requires certificate to run and the server requires client authentication.

To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/0c8216b2-c38d-4df5-bb16-1fc732c87acc%40googlegroups.com.

[Rohit Jaiswal]

Hi,

      A more complete stack trace of the problem:

%% Cached server session: [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]

2016-06-08 05:37:12,775 DEBUG [vert.x-eventloop-thread-1] (SslHandler.java:1241) - [id: 0x269822a6, /172.31.254.102:52428 => /172.31.8.241:4321] HANDSHAKEN: TLS_RSA_WITH_AES_128_CBC_SHA

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, called closeInbound()

vert.x-eventloop-thread-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

vert.x-eventloop-thread-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

vert.x-eventloop-thread-1, Exception sending alert: java.io.IOException: writer side was already closed.

vert.x-eventloop-thread-1, WRITE: TLSv1 Application Data, length = 44

Jun 08, 2016 5:37:12 AM com.fortify.overlord.edge.TheEdge

INFO: bundle with 0 messages : {"identityInfo":"1,0bdde29b-c276-452f-a999-9aa18e9177e4,1,8066b017-7b8b-4d85-904c-08b27dc5a85a","timestamp":1465364138162,"schemaVersion":1,"events":[{"timestamp":1465364227566,"activityEventType":"categoryCounts","eventId":"462314b5-e0a6-4259-9c9e-d0c7b71a5c38","configurationId":"{\"schemaVersion\":5,\"groupId\":1,\"tenantConfigId\":4,\"groupConfigId\":34,\"agentConfigId\":0,\"certConfigId\":1}","interval":60,"counts":[],"agent-id":"0bdde29b-c276-452f-a999-9aa18e9177e4","group-id":"1","tenant-id":"8066b017-7b8b-4d85-904c-08b27dc5a85a","schemaVersion":1}]}

vert.x-eventloop-thread-1, READ: TLSv1 Alert, length = 32

vert.x-eventloop-thread-1, RECV TLSv1 ALERT:  warning, close_notify

vert.x-eventloop-thread-1, closeInboundInternal()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, SEND TLSv1 ALERT:  warning, description = close_notify

vert.x-eventloop-thread-1, WRITE: TLSv1 Alert, length = 32

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, called closeInbound()

vert.x-eventloop-thread-1, closeInboundInternal()

[Rohit Jaiswal]

And some more stack trace - 

%% Initialized:  [Session-19, SSL_NULL_WITH_NULL_NULL]

vert.x-eventloop-thread-1, fatal error: 80: problem unwrapping net record

java.lang.RuntimeException: java.security.KeyException

%% Invalidated:  [Session-19, SSL_NULL_WITH_NULL_NULL]

vert.x-eventloop-thread-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

vert.x-eventloop-thread-1, WRITE: TLSv1.2 Alert, length = 2

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

Thread-2, READ: TLSv1.2 Alert, length = 2

Thread-2, RECV TLSv1.2 ALERT:  fatal, internal_error

Thread-2, called closeSocket()

Thread-2, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error

Using SSLEngineImpl.

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, called closeInbound()

vert.x-eventloop-thread-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

vert.x-eventloop-thread-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

vert.x-eventloop-thread-1, Exception sending alert: java.io.IOException: writer side was already closed.

Using SSLEngineImpl.

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, called closeInbound()

vert.x-eventloop-thread-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

vert.x-eventloop-thread-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

vert.x-eventloop-thread-1, Exception sending alert: java.io.IOException: writer side was already closed.

Using SSLEngineImpl.

vert.x-eventloop-thread-1, called closeOutbound()

vert.x-eventloop-thread-1, closeOutboundInternal()

vert.x-eventloop-thread-1, called closeInbound()

vert.x-eventloop-thread-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

vert.x-eventloop-thread-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

vert.x-eventloop-thread-1, Exception sending alert: java.io.IOException: writer side was already closed.

Using SSLEngineImpl.

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1

vert.x-eventloop-thread-1, READ: TLSv1 Handshake, length = 231

[MUNGAI NJOROGE]

Hi,

I am getting this error on Oracle JDK 8_172. This happens when I use digicert certificate but on self-signed the service works fine.

When I use -Djavax.net.debug=all flag, I can see the request from client, but vertex never gets the request neither is a failure result sent to the client.

Did you get it to work out?

[MUNGAI NJOROGE]

Hi,  

I forgot to leave a solution here and the issue hit me again. Now I have to add the solution for future reference. 

If this hits you, check for other versions of io.netty in your project. This can be done with mvn dependency:tree . In my case I have Apache spark with io.netty version 4.x.17 and vertx with io.netty version 4.x.34. This I think creates a duplicate SSL context at JDK level.

Looks like the HTTPS request is consumed by the one SSLHandler while vertx is listenning on another SSLHandler. The result is that events never reach vertx for processing and the client hangup waiting for response.