users@grizzly.java.net

Re: Grizzly 2.0 M3: java.lang.StackOverflowError in SSL handshake, when using expired client certificate

From: JopieC <jopie.cruijff_at_gmail.com>
Date: Tue, 9 Jun 2009 02:54:32 -0700 (PDT)

Unfortunately I tested this using an existing project of which the code is
proprietary and hard to isolate quickly. But the basic idea is very simple:
create a ServerConnection that requires client authentication, create a
client that uses a keystore with an expired certificate and try to
communicate with the server.


Jeanfrancois Arcand-2 wrote:
>
> Salut,
>
> JopieC wrote:
>> In the Server I used:
>>
>> ...
>> boolean clientMode = false;
>> boolean needClientAuth = true;
>> boolean wantClientAuth = true;
>>
>> c = new SSLEngineConfigurator(sslContext, clientMode,
>> needClientAuth, wantClientAuth);
>> ...
>>
>> Then I ordered the client to use an expired certificate:
>>
>> found key for : ...
>> chain [0] = [
>> [
>> Version: V3
>> Subject: CN=..., OU=..., O=... L=..., ST=..., C=...
>> Signature Algorithm: MD5withRSA, OID = ...
>>
>> Key: Sun RSA public key, 1024 bits
>> modulus: ...
>> public exponent: 65537
>> Validity: [From: Wed Jun 16 12:13:13 MEST 2004,
>> To: Sun Jun 26 13:30:00 MEST 2005]
>>
>> Then in the server a java.lang.StackOverflowError occurs:
>>
>> java.security.cert.CertificateExpiredException: NotAfter: Sun Jun 26
>> 13:30:00 MEST 2005
>> WTP(0), SEND SSLv3 ALERT: fatal, description = certificate_unknown
>> WTP(0), WRITE: SSLv3 Alert, length = 2
>> WTP(0), fatal: engine already closed. Rethrowing
>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>> [Raw write]: length = 7
>> 0000: 15 03 00 00 02 02 2E .......
>> Jun 8, 2009 2:26:45 PM tst.grizzly.ProcessorRunnable logException
>> WARNING: Processor execution exception. Processor:
>> tst.grizzly.filterchain.DefaultFilterChain_at_7b4703 Context:
>> FilterChainContext
>> [connection=tst.grizzly.nio.transport.TCPNIOConnection_at_5c3987[localaddress=/192.168.201.9:10078,
>> peeraddress=/192.168.201.12:24624], message=null, address=null,
>> executedFilters=tst.grizzly.utils.LightArrayList_at_1e184ea]
>> java.lang.StackOverflowError
>> at
>> tst.grizzly.attributes.IndexedAttributeHolder$IndexedAttributeAccessorImpl.getAttribute(IndexedAttributeHolder.java:161)
>> at tst.grizzly.attributes.Attribute.weakGet(Attribute.java:264)
>> at tst.grizzly.attributes.Attribute.get(Attribute.java:100)
>> at tst.grizzly.attributes.Attribute.get(Attribute.java:126)
>> at
>> tst.grizzly.ssl.SSLResourcesAccessor.getSSLEngine(SSLResourcesAccessor.java:98)
>> at
>> tst.grizzly.ssl.SSLStreamReader.getSSLEngine(SSLStreamReader.java:134)
>> at
>> tst.grizzly.ssl.SSLStreamReader.checkBuffers(SSLStreamReader.java:181)
>> at
>> tst.grizzly.ssl.SSLStreamReader.appendBuffer(SSLStreamReader.java:92)
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:176)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>> at
>> tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:580)
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:176)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>> at
>> tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:580)
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:176)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>> at
>> tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:580)
>> ...
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:181)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>>
>> In the client log I see this:
>>
>> [7][08-06-2009 14:43:25:583][main] [Logger::log] Exception:
>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> certificate_unknown
>> at
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>> at
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
>>
>> Now I know that I shouldn't use an expired certificate, but a
>> StackOverflow
>> should not occur.
>
> True. I think this is related to:
>
> http://www.nabble.com/Grizzly-2.0-M3-infinite-loop-hang-in-SSL-handshake-td23870143.html
>
> I will take a look as soon as I can. Do you have a simple test case I
> can use?
>
> Thanks
>
> -- Jeanfrancois
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>
>
>

-- 
View this message in context: http://www.nabble.com/Grizzly-2.0-M3%3A-java.lang.StackOverflowError-in-SSL-handshake%2C-when-using-expired-client-certificate-tp23923626p23939769.html
Sent from the Grizzly - Users mailing list archive at Nabble.com.