Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
qpid-java-6.0
-
None
-
None
Description
If I close an connection that uses TLS from the client side (AMQP 0-10 or 0-9), the socket is successfully closed, but the SSL close_notify bytes are never sent over the wire. The Java Broker logs a stack trace to report this.
The client side problem is in SSLSender#tearDownSSLConnection.
The following in the log of SSLTest.testCreateSSLConnectionUsingConnectionURLParams augments with extra trace in tearDownSSLConnection/IoSender.
2016-01-09 17:01:01,047 DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.Connection RECV: [conn:618c5d94] ch=0 ConnectionCloseOk() 2016-01-09 17:01:01,048 DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender Closing SSL connection 2016-01-09 17:01:01,048 DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender SSLEngine result Status = BUFFER_OVERFLOW HandshakeStatus = NEED_WRAP bytesConsumed = 0 bytesProduced = 0 (tearDownSSLConnection initial wrap) 2016-01-09 17:01:01,048 DEBUG [IO-/127.0.0.1:51231] o.a.q.s.t.MultiVersionProtocolEngine Closed 2016-01-09 17:01:01,048 DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender SSLEngine result Status = CLOSED HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 85 (tearDownSSLConnection loop wrap) ## These 85 bytes never go down the wire 2016-01-09 17:01:01,048 DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.Connection connection closed: conn:618c5d94
The Java Broker logs the a stack trace at debug complaining that it never received the close_notify. It otherwise ignores the condition.
2016-01-09 17:01:01,055 DEBUG [IO-/127.0.0.1:51231] o.a.q.s.t.NonBlockingConnectionTLSDelegate Exception when closing SSLEngine javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.8.0_45] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[na:1.8.0_45] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[na:1.8.0_45] at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) ~[na:1.8.0_45] at org.apache.qpid.server.transport.NonBlockingConnectionTLSDelegate.shutdownOutput(NonBlockingConnectionTLSDelegate.java:364) ~[qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.NonBlockingConnection.shutdownOutput(NonBlockingConnection.java:409) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.NonBlockingConnection.shutdown(NonBlockingConnection.java:360) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.NonBlockingConnection.doWork(NonBlockingConnection.java:299) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.NetworkConnectionScheduler.processConnection(NetworkConnectionScheduler.java:108) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.SelectorThread$ConnectionProcessor.processConnection(SelectorThread.java:502) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.SelectorThread$SelectionTask.performSelect(SelectorThread.java:340) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.SelectorThread$SelectionTask.run(SelectorThread.java:86) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at org.apache.qpid.server.transport.SelectorThread.run(SelectorThread.java:460) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]