users@grizzly.java.net

Re: Grizzly 2.0 M3: java.lang.StackOverflowError in SSL handshake, when using expired client certificate

From: JopieC <jopie.cruijff_at_gmail.com>
Date: Thu, 11 Jun 2009 06:40:02 -0700 (PDT)

The following seems to be happening:

The client sends it's (expired) certificate, which is read by the server:

[SSLStreamReader::appendBuffer] # bytes in: 1024
[Raw read]: length = 5
0000: 16 03 00 03 FB .....
[Raw read]: length = 1019
0000: 0B 00 03 73 00 03 70 00 03 6D 30 82 03 69 30 82 ...s..p..m0..i0.
...
03F0: 4D 01 0E BE 43 E2 B3 BE F2 CE F9 M...C......
WTP-WorkerThread(0), READ: SSLv3 Handshake, length = 1019
[SSLStreamReader::appendBuffer] unwrapped, result: Status = OK
HandshakeStatus = NEED_TASK
bytesConsumed = 1024 bytesProduced = 0

...

[BlockingSSLHandshaker::handshake] NEED_TASK
[SSLUtils::executeDelegatedTask] running...
*** Certificate chain
chain [0] = [
...
  Validity: [From: Thu Mar 17 13:09:40 MET 2005,
               To: Fri Apr 07 11:57:20 MEST 2006]
...
]
***
WTP-WorkerThread(0), fatal error: 46: General SSLEngine problem
java.security.cert.CertificateExpiredException: NotAfter: Fri Apr 07
11:57:20 MEST 2006
WTP-WorkerThread(0), SEND SSLv3 ALERT: fatal, description =
certificate_unknown
WTP-WorkerThread(0), WRITE: SSLv3 Alert, length = 2
[SSLUtils::executeDelegatedTask] ran

...

[BlockingSSLHandshaker::handshake] NEED_WRAP

...

[SSLStreamWriter::handshakewrap::flush0]

WTP-WorkerThread(0), fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[BlockingSSLHandshaker::handshake] Exception:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at
com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1081)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1053)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
    at
com.qv.tst.grizzly.ssl.SSLStreamWriter.flush0(SSLStreamWriter.java:143)
    at
com.qv.tst.grizzly.ssl.SSLStreamWriter.handshakeWrap(SSLStreamWriter.java:88)
    at
com.qv.tst.grizzly.ssl.BlockingSSLHandshaker.handshake(BlockingSSLHandshaker.java:139)
    at com.qv.tst.grizzly.ssl.SSLFilter.handleRead(SSLFilter.java:154)
    at
com.qv.tst.grizzly.filterchain.DefaultFilterChain$3.execute(DefaultFilterChain.java:89)
    at
com.qv.tst.grizzly.filterchain.DefaultFilterChain.executeChain(DefaultFilterChain.java:247)
    at
com.qv.tst.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:179)
    at
com.qv.tst.grizzly.filterchain.AbstractFilterChain.process(AbstractFilterChain.java:148)
    at com.qv.tst.grizzly.ProcessorRunnable.run(ProcessorRunnable.java:232)
    at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
    at java.util.concurrent.FutureTask.run(FutureTask.java:138)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1451)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1253)
    at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
    at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)
    at java.security.AccessController.doPrivileged(Native Method)
    at
com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)
    at
com.qv.tst.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:102)
    at
com.qv.tst.grizzly.ssl.BlockingSSLHandshaker.handshake(BlockingSSLHandshaker.java:153)
    ... 12 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Apr
07 11:57:20 MEST 2006
    at
sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
    at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
    at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:167)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:237)
    at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1232)
    ... 19 more
[BlockingSSLHandshaker::handshake] finally
[SSLFilter::handleRead] handshake done

=> FOR THE CLIENT IT ISN'T! The client is continuing the handshake and sends
in the CertificateVerify, ChangeCipherSpec and Finished messages. And the
server is going into a loop:

[StreamReaderDecorator::completed] buffer: ByteBufferWrapper
480508[visible=[java.nio.HeapByteBuffer[pos=0 lim=139 cap=139]]]
[SSLStreamReader::appendBuffer] buffer: ByteBufferWrapper
480508[visible=[java.nio.HeapByteBuffer[pos=0 lim=139 cap=139]]]
[SSLStreamReader::appendBuffer] unwrapping...
[SSLStreamReader::appendBuffer] # bytes in: 139
[SSLStreamReader::appendBuffer] unwrapped, result: Status = CLOSED
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[SSLStreamReader::appendBuffer] result.bytesProduced(): 0
[SSLStreamReader::appendBuffer] result.bytesConsumed(): 0
[SSLStreamReader::appendBuffer] else, wasAdded: false
[SSLStreamReader::appendBuffer] finally, wasAdded: false
[StreamReaderDecorator::completed] buffer appended: false
[StreamReaderDecorator::completed] future.isDone(): false
[StreamReaderDecorator::completed] buffer: ByteBufferWrapper
480508[visible=[java.nio.HeapByteBuffer[pos=0 lim=139 cap=139]]]
[SSLStreamReader::appendBuffer] buffer: ByteBufferWrapper
480508[visible=[java.nio.HeapByteBuffer[pos=0 lim=139 cap=139]]]
[SSLStreamReader::appendBuffer] unwrapping...
[SSLStreamReader::appendBuffer] # bytes in: 139
[SSLStreamReader::appendBuffer] unwrapped, result: Status = CLOSED
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[SSLStreamReader::appendBuffer] result.bytesProduced(): 0
[SSLStreamReader::appendBuffer] result.bytesConsumed(): 0
[SSLStreamReader::appendBuffer] else, wasAdded: false
[SSLStreamReader::appendBuffer] finally, wasAdded: false
[StreamReaderDecorator::completed] buffer appended: false
[StreamReaderDecorator::completed] future.isDone(): false
[StreamReaderDecorator::completed] buffer: ByteBufferWrapper
480508[visible=[java.nio.HeapByteBuffer[pos=0 lim=139 cap=139]]]
[SSLStreamReader::appendBuffer] buffer: ByteBufferWrapper
480508[visible=[java.nio.HeapByteBuffer[pos=0 lim=139 cap=139]]]
[SSLStreamReader::appendBuffer] unwrapping...
[SSLStreamReader::appendBuffer] # bytes in: 139
[SSLStreamReader::appendBuffer] unwrapped, result: Status = CLOSED
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[SSLStreamReader::appendBuffer] result.bytesProduced(): 0
[SSLStreamReader::appendBuffer] result.bytesConsumed(): 0
[SSLStreamReader::appendBuffer] else, wasAdded: false
[SSLStreamReader::appendBuffer] finally, wasAdded: false
[StreamReaderDecorator::completed] buffer appended: false
[StreamReaderDecorator::completed] future.isDone(): false
...

un 11, 2009 3:11:45 PM com.qv.tst.grizzly.ProcessorRunnable logException
WARNING: Processor execution exception. Processor:
com.qv.tst.grizzly.filterchain.DefaultFilterChain_at_1d9e2c7 Context:
FilterChainContext
[connection=com.qv.tst.grizzly.nio.transport.TCPNIOConnection_at_1b7ae22,
message=null, address=null,
executedFilters=com.qv.tst.grizzly.utils.LightArrayList_at_1264eca]
java.lang.StackOverflowError
    at sun.nio.cs.UTF_8.updatePositions(UTF_8.java:58)
    at sun.nio.cs.UTF_8$Encoder.encodeArrayLoop(UTF_8.java:392)
    at sun.nio.cs.UTF_8$Encoder.encodeLoop(UTF_8.java:447)
    at java.nio.charset.CharsetEncoder.encode(CharsetEncoder.java:544)
    at sun.nio.cs.StreamEncoder.implWrite(StreamEncoder.java:252)
    at sun.nio.cs.StreamEncoder.write(StreamEncoder.java:106)
    at java.io.OutputStreamWriter.write(OutputStreamWriter.java:190)
    at java.io.BufferedWriter.flushBuffer(BufferedWriter.java:111)
    at java.io.PrintStream.write(PrintStream.java:476)
    at java.io.PrintStream.print(PrintStream.java:619)
    at java.io.PrintStream.println(PrintStream.java:756)
    at
com.qv.tst.grizzly.ssl.SSLStreamReader.appendBuffer(SSLStreamReader.java:95)
    at
com.qv.tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:190)
    at
com.qv.tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:87)
    at
com.qv.tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:593)
    at
com.qv.tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:197)
    at
com.qv.tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:87)
    at
com.qv.tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:593)
    at
com.qv.tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:197)
    at
com.qv.tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:87)
    at
com.qv.tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:593)

I hope this helps you to find the problem.




Jeanfrancois Arcand-2 wrote:
>
> Salut,
>
> JopieC wrote:
>> In the Server I used:
>>
>> ...
>> boolean clientMode = false;
>> boolean needClientAuth = true;
>> boolean wantClientAuth = true;
>>
>> c = new SSLEngineConfigurator(sslContext, clientMode,
>> needClientAuth, wantClientAuth);
>> ...
>>
>> Then I ordered the client to use an expired certificate:
>>
>> found key for : ...
>> chain [0] = [
>> [
>> Version: V3
>> Subject: CN=..., OU=..., O=... L=..., ST=..., C=...
>> Signature Algorithm: MD5withRSA, OID = ...
>>
>> Key: Sun RSA public key, 1024 bits
>> modulus: ...
>> public exponent: 65537
>> Validity: [From: Wed Jun 16 12:13:13 MEST 2004,
>> To: Sun Jun 26 13:30:00 MEST 2005]
>>
>> Then in the server a java.lang.StackOverflowError occurs:
>>
>> java.security.cert.CertificateExpiredException: NotAfter: Sun Jun 26
>> 13:30:00 MEST 2005
>> WTP(0), SEND SSLv3 ALERT: fatal, description = certificate_unknown
>> WTP(0), WRITE: SSLv3 Alert, length = 2
>> WTP(0), fatal: engine already closed. Rethrowing
>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>> [Raw write]: length = 7
>> 0000: 15 03 00 00 02 02 2E .......
>> Jun 8, 2009 2:26:45 PM tst.grizzly.ProcessorRunnable logException
>> WARNING: Processor execution exception. Processor:
>> tst.grizzly.filterchain.DefaultFilterChain_at_7b4703 Context:
>> FilterChainContext
>> [connection=tst.grizzly.nio.transport.TCPNIOConnection_at_5c3987[localaddress=/192.168.201.9:10078,
>> peeraddress=/192.168.201.12:24624], message=null, address=null,
>> executedFilters=tst.grizzly.utils.LightArrayList_at_1e184ea]
>> java.lang.StackOverflowError
>> at
>> tst.grizzly.attributes.IndexedAttributeHolder$IndexedAttributeAccessorImpl.getAttribute(IndexedAttributeHolder.java:161)
>> at tst.grizzly.attributes.Attribute.weakGet(Attribute.java:264)
>> at tst.grizzly.attributes.Attribute.get(Attribute.java:100)
>> at tst.grizzly.attributes.Attribute.get(Attribute.java:126)
>> at
>> tst.grizzly.ssl.SSLResourcesAccessor.getSSLEngine(SSLResourcesAccessor.java:98)
>> at
>> tst.grizzly.ssl.SSLStreamReader.getSSLEngine(SSLStreamReader.java:134)
>> at
>> tst.grizzly.ssl.SSLStreamReader.checkBuffers(SSLStreamReader.java:181)
>> at
>> tst.grizzly.ssl.SSLStreamReader.appendBuffer(SSLStreamReader.java:92)
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:176)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>> at
>> tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:580)
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:176)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>> at
>> tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:580)
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:176)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>> at
>> tst.grizzly.streams.AbstractStreamReader.notifyAvailable(AbstractStreamReader.java:580)
>> ...
>> at
>> tst.grizzly.streams.StreamReaderDecorator$FeederCompletionHandler.completed(StreamReaderDecorator.java:181)
>> at
>> tst.grizzly.nio.transport.TCPNIOStreamReader.notifyCondition(TCPNIOStreamReader.java:90)
>>
>> In the client log I see this:
>>
>> [7][08-06-2009 14:43:25:583][main] [Logger::log] Exception:
>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> certificate_unknown
>> at
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>> at
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
>>
>> Now I know that I shouldn't use an expired certificate, but a
>> StackOverflow
>> should not occur.
>
> True. I think this is related to:
>
> http://www.nabble.com/Grizzly-2.0-M3-infinite-loop-hang-in-SSL-handshake-td23870143.html
>
> I will take a look as soon as I can. Do you have a simple test case I
> can use?
>
> Thanks
>
> -- Jeanfrancois
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>
>
>

-- 
View this message in context: http://www.nabble.com/Grizzly-2.0-M3%3A-java.lang.StackOverflowError-in-SSL-handshake%2C-when-using-expired-client-certificate-tp23923626p23981515.html
Sent from the Grizzly - Users mailing list archive at Nabble.com.