[jetty-users] Inconsistent failures when connecting to a server with sel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] Inconsistent failures when connecting to a server with self signed certificate

From: Benedikt Ritter <beneritter@xxxxxxxxx>
Date: Fri, 29 Nov 2019 15:45:40 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hello,

I'm working on an client/server application using Jetty client and server 9.4.20.v20190813. The client application provides a configuration flag to allow connecting to a server with an untrusted certificate. The code we use to configure the client looks like this:

// WebSocketClientFactory.java

private static void configureTrust(WebSocketClient client, boolean allowUntrusted) {
if (allowUntrusted) {
client.getSslContextFactory().setHostnameVerifier((hostname, session) -> true);
client.getSslContextFactory().setTrustAll(true);
}

}

For testing this feature we use a stub implementation of the real server that just records all websocket messages in a list to assert on that list in our tests. I added some code to configure the stub to use a self signed certificate (the certificate and SslContextBuilder bits are from netty):

// MessageRecordingServerStub.groovy

if (selfSignedHttps) {

def cert = new SelfSignedCertificate('localhost')
JdkSslContext sslContext = SslContextBuilder
.forServer(cert.certificate(), cert.privateKey())
.sslProvider(SslProvider.JDK)
.build() as JdkSslContext

def sslContextFactory = new SslContextFactory.Server()
sslContextFactory.sslContext = sslContext.context()

ServerConnector con = new ServerConnector(this, sslContextFactory)
con.setPort(port)
connectors = [con]

}

Connecting to the stub server with allowUntrusted = true works as expected. However when I set allowUntrusted to false I only sometimes get the exception that I would expect:

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:509)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:891)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:530)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:128)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:73)
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:133)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:154)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint$IncompleteWriteCallback.succeeded(SslConnection.java:1310)
at org.eclipse.jetty.io.WriteFlusher.write(WriteFlusher.java:293)
at org.eclipse.jetty.io.AbstractEndPoint.write(AbstractEndPoint.java:381)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.needsFillInterest(SslConnection.java:746)
at org.eclipse.jetty.io.AbstractEndPoint$1.needsFillInterest(AbstractEndPoint.java:45)
at org.eclipse.jetty.io.FillInterest.tryRegister(FillInterest.java:83)
at org.eclipse.jetty.io.FillInterest.register(FillInterest.java:55)
at org.eclipse.jetty.io.AbstractEndPoint.fillInterested(AbstractEndPoint.java:362)
at org.eclipse.jetty.io.AbstractConnection.fillInterested(AbstractConnection.java:134)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.fillInterested(HttpReceiverOverHTTP.java:193)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:141)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:73)
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:133)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:154)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:426)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:320)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:158)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)
at java.lang.Thread.run(Thread.java:748)

But most of the time a get:

java.io.EOFException: HttpConnectionOverHTTP@2d5f697f::DecryptedEndPoint@7050f4d9{localhost/127.0.0.1:51214<->/127.0.0.1:51215,CLOSED,fill=-,flush=F,to=1/0}
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.earlyEOF(HttpReceiverOverHTTP.java:335)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1526)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.shutdown(HttpReceiverOverHTTP.java:209)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:147)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:73)
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:133)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:154)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint$IncompleteWriteCallback.succeeded(SslConnection.java:1310)
at org.eclipse.jetty.io.WriteFlusher.write(WriteFlusher.java:293)
at org.eclipse.jetty.io.AbstractEndPoint.write(AbstractEndPoint.java:381)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onIncompleteFlush(SslConnection.java:1069)
at org.eclipse.jetty.io.AbstractEndPoint$2.onIncompleteFlush(AbstractEndPoint.java:54)
at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:387)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:669)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)
at java.lang.Thread.run(Thread.java:748)

So it looks like the server closed the connection early. This is not related to timeouts since I did not change the default idle timeout of 30 seconds on the server.

Any idea what might be causing this? I would like to stabilize the test in a why that I always get the SSLHandshakeException.

Thanks in advance!

Benedikt

Follow-Ups:
- Re: [jetty-users] Inconsistent failures when connecting to a server with self signed certificate
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] Jetty 9.4.24 prints warning messages to stderr
Next by Date: Re: [jetty-users] Jetty 9.4.24 prints warning messages to stderr
Previous by thread: [jetty-users] Jetty 9.4.24 prints warning messages to stderr
Next by thread: Re: [jetty-users] Inconsistent failures when connecting to a server with self signed certificate
Index(es):
- Date
- Thread

Breadcrumbs