mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Fwd: Adding SSLFilter on the fly
Date Thu, 11 Jan 2007 06:20:35 GMT
---------- Forwarded message ----------
From: Niklas Gustavsson <niklas@protocol7.com>
Date: Jan 11, 2007 1:42 AM
Subject: Adding SSLFilter on the fly
To: dev@directory.apache.org


Hi

I'm trying to integrate MINA with Apache FtpServer, basically base
FtpServer's socket handling on MINA. So far it's been a great
experience. However, I just got stuck. It might very likely be an error
on my side but I need some pointers :-)

The FTP AUTH command is sent by a client to tell the server that it
wants to secure the FTP control socket with SSL. The flow is like this:

1. Client sends "AUTH TLS"
2. Server sends "234 Command AUTH okay; starting TLS connection."
3. Server secures the socket
4. Next client call is over the secure socket

Now, to implement this I add a SSLFilter at step 3. However, I seem to
run into a condition where the response sent at step 2 sometimes end up
in the, not yet initialized, SSLFilter. This results in:
java.lang.IllegalStateException
        at
org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
        at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
        at
org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
        at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
        at
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)
        at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain..java:362)
        at
org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)
        at
org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)
        at
org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)
        at
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)
        at
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)
        at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
        at java.lang.Thread.run(Thread.java:595)


 From my understanding, the response should already has been sent to the
client but that seems not to be the case. The response (step 2) is sent as:
session.write(response).join();

Shouldn't the join() make that call wait until the write is completely
done? If not, how would I otherwise ensure that the response has been
sent before I add the SSL filter?

The full trace is attached.

Thanks!
/niklas


Server ready :: Apache FTP Server
------- Apache FTP Server started ------
[/127.0.0.1:2291] CREATED
Launching thread for /127.0.0.1:2291
[/127.0.0.1:2291] OPENED
[/127.0.0.1:2291] WRITE: 220 Service ready for new user.

< 220 Service ready for new user.
> AUTH TLS
AUTH TLS

AUTH TLS

[/127.0.0.1:2291] RECEIVED: AUTH TLS
[/127.0.0.1:2291] WRITE: 234 Command AUTH okay; starting TLS connection.

< 220 Service ready for new user.
234 Command AUTH okay; starting TLS connection.
[/127.0.0.1:2291]  doHandshake()
[/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
[/127.0.0.1:2291]  unwrapHandshake()
[/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0
lim=0 cap=16665]
[/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[/127.0.0.1:2291]  Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
org.apache.ftpserver.listener.mina.MinaConnection@1cb52ae
[/127.0.0.1:2291] SENT: 220 Service ready for new user.

[/127.0.0.1:2291] SENT: 234 Command AUTH okay; starting TLS connection.

[/127.0.0.1:2291] EXCEPTION:
java.lang.IllegalStateException
        at org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
        at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
        at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
        at java.lang.Thread.run(Thread.java:595)
[/127.0.0.1:2291] CLOSE
[/127.0.0.1:2291]  write outNetBuffer: java.nio.DirectByteBuffer[pos=0
lim=7 cap=16665]
[/127.0.0.1:2291]  session write: DirectBuffer[pos=0 lim=7 cap=8: 15
03 01 00 02 01 00]
[/127.0.0.1:2291]  Data Read:
org.apache.mina.filter.support.SSLHandler@1addb59 (DirectBuffer[pos=0
lim=7 cap=8192: 15 03 01 00 02 02 0A])
[/127.0.0.1:2291]  doHandshake()
[/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
[/127.0.0.1:2291]  unwrapHandshake()
[/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0
lim=7 cap=16665]
[/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[/127.0.0.1:2291] Unexpected exception from SSLEngine.closeInbound().
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1259)
        at org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
        at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:358)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:54)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:781)
        at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:599)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)
        at org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:313)
        at org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:271)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:225)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:563)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
        at java.lang.Thread.run(Thread.java:595)
[/127.0.0.1:2291] EXCEPTION:
javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:424)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
        at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
        at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)
        at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43)
        at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
        at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:677)
        at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:494)
        at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:293)
        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
        ... 12 more
[/127.0.0.1:2291] CLOSED
Exiting since queue is empty for /127.0.0.1:2291




-- 
Ersin

Mime
View raw message