mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: Adding SSLFilter on the fly
Date Thu, 11 Jan 2007 00:02:09 GMT
Niklas,

You might want to direct your inquiries to the MINA mailing list from 
now on.

MINA has become it's own TLP and is no longer a subproject of the 
Directory TLP.

Alex

Niklas Gustavsson wrote:
> Hi
> 
> I'm trying to integrate MINA with Apache FtpServer, basically base 
> FtpServer's socket handling on MINA. So far it's been a great 
> experience. However, I just got stuck. It might very likely be an error 
> on my side but I need some pointers :-)
> 
> The FTP AUTH command is sent by a client to tell the server that it 
> wants to secure the FTP control socket with SSL. The flow is like this:
> 
> 1. Client sends "AUTH TLS"
> 2. Server sends "234 Command AUTH okay; starting TLS connection."
> 3. Server secures the socket
> 4. Next client call is over the secure socket
> 
> Now, to implement this I add a SSLFilter at step 3. However, I seem to 
> run into a condition where the response sent at step 2 sometimes end up 
> in the, not yet initialized, SSLFilter. This results in:
> java.lang.IllegalStateException
>     at 
> org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
>     at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
>     at 
> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)

> 
>     at 
> org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)

> 
>     at 
> org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)

> 
>     at 
> org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)

> 
>     at 
> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain..java:362)

> 
>     at 
> org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)

> 
>     at 
> org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)

> 
>     at 
> org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)

> 
>     at 
> org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)

> 
>     at 
> org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)

> 
>     at 
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 
> 
>     at java.lang.Thread.run(Thread.java:595)
> 
> 
>  From my understanding, the response should already has been sent to the 
> client but that seems not to be the case. The response (step 2) is sent as:
> session.write(response).join();
> 
> Shouldn't the join() make that call wait until the write is completely 
> done? If not, how would I otherwise ensure that the response has been 
> sent before I add the SSL filter?
> 
> The full trace is attached.
> 
> Thanks!
> /niklas
> 
> 
> ------------------------------------------------------------------------
> 
> Server ready :: Apache FTP Server
> ------- Apache FTP Server started ------
> [/127.0.0.1:2291] CREATED
> Launching thread for /127.0.0.1:2291
> [/127.0.0.1:2291] OPENED
> [/127.0.0.1:2291] WRITE: 220 Service ready for new user.
> 
> < 220 Service ready for new user.
>> AUTH TLS
> AUTH TLS
> 
> AUTH TLS
> 
> [/127.0.0.1:2291] RECEIVED: AUTH TLS
> [/127.0.0.1:2291] WRITE: 234 Command AUTH okay; starting TLS connection.
> 
> < 220 Service ready for new user.
> 234 Command AUTH okay; starting TLS connection.
> [/127.0.0.1:2291]  doHandshake()
> [/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
> [/127.0.0.1:2291]  unwrapHandshake()
> [/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
> [/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
> [/127.0.0.1:2291]  Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP
> bytesConsumed = 0 bytesProduced = 0
> org.apache.ftpserver.listener.mina.MinaConnection@1cb52ae
> [/127.0.0.1:2291] SENT: 220 Service ready for new user.
> 
> [/127.0.0.1:2291] SENT: 234 Command AUTH okay; starting TLS connection.
> 
> [/127.0.0.1:2291] EXCEPTION:
> java.lang.IllegalStateException
> 	at org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)
> 	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
> 	at java.lang.Thread.run(Thread.java:595)
> [/127.0.0.1:2291] CLOSE
> [/127.0.0.1:2291]  write outNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
> [/127.0.0.1:2291]  session write: DirectBuffer[pos=0 lim=7 cap=8: 15 03 01 00 02 01 00]
> [/127.0.0.1:2291]  Data Read: org.apache.mina.filter.support.SSLHandler@1addb59 (DirectBuffer[pos=0
lim=7 cap=8192: 15 03 01 00 02 02 0A])
> [/127.0.0.1:2291]  doHandshake()
> [/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
> [/127.0.0.1:2291]  unwrapHandshake()
> [/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
> [/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
> [/127.0.0.1:2291] Unexpected exception from SSLEngine.closeInbound().
> javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible
truncation attack?
> 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1259)
> 	at org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
> 	at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:358)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:54)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:781)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:599)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:313)
> 	at org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:271)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:225)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:563)
> 	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
> 	at java.lang.Thread.run(Thread.java:595)
> [/127.0.0.1:2291] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:424)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)
> 	at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)
> 	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
> 	at java.lang.Thread.run(Thread.java:595)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
> 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> 	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> 	at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:677)
> 	at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:494)
> 	at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:293)
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
> 	... 12 more
> [/127.0.0.1:2291] CLOSED
> Exiting since queue is empty for /127.0.0.1:2291


Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message