Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-6981

SSLSender does not send the close_notify bytes during client initiated connection close

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • qpid-java-6.0
    • None
    • Java Common, JMS AMQP 0-x
    • None

    Description

      If I close an connection that uses TLS from the client side (AMQP 0-10 or 0-9), the socket is successfully closed, but the SSL close_notify bytes are never sent over the wire. The Java Broker logs a stack trace to report this.

      The client side problem is in SSLSender#tearDownSSLConnection.

      The following in the log of SSLTest.testCreateSSLConnectionUsingConnectionURLParams augments with extra trace in tearDownSSLConnection/IoSender.

      2016-01-09 17:01:01,047         DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.Connection RECV: [conn:618c5d94] ch=0 ConnectionCloseOk()
2016-01-09 17:01:01,048         DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender Closing SSL connection
2016-01-09 17:01:01,048         DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender SSLEngine result Status = BUFFER_OVERFLOW HandshakeStatus = NEED_WRAP
bytesConsumed = 0 bytesProduced = 0 (tearDownSSLConnection initial wrap)
2016-01-09 17:01:01,048         DEBUG [IO-/127.0.0.1:51231] o.a.q.s.t.MultiVersionProtocolEngine Closed
2016-01-09 17:01:01,048         DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.n.s.s.SSLSender SSLEngine result Status = CLOSED HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 85 (tearDownSSLConnection loop wrap)
##  These 85 bytes never go down the wire
2016-01-09 17:01:01,048         DEBUG [IoRcvr-/127.0.0.1:51231-localhost/127.0.0.1:51229] o.a.q.t.Connection connection closed: conn:618c5d94

      The Java Broker logs the a stack trace at debug complaining that it never received the close_notify. It otherwise ignores the condition.

      2016-01-09 17:01:01,055         DEBUG [IO-/127.0.0.1:51231] o.a.q.s.t.NonBlockingConnectionTLSDelegate Exception when closing SSLEngine
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.8.0_45]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[na:1.8.0_45]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[na:1.8.0_45]
        at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) ~[na:1.8.0_45]
        at org.apache.qpid.server.transport.NonBlockingConnectionTLSDelegate.shutdownOutput(NonBlockingConnectionTLSDelegate.java:364) ~[qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.NonBlockingConnection.shutdownOutput(NonBlockingConnection.java:409) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.NonBlockingConnection.shutdown(NonBlockingConnection.java:360) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.NonBlockingConnection.doWork(NonBlockingConnection.java:299) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.NetworkConnectionScheduler.processConnection(NetworkConnectionScheduler.java:108) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.SelectorThread$ConnectionProcessor.processConnection(SelectorThread.java:502) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.SelectorThread$SelectionTask.performSelect(SelectorThread.java:340) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.SelectorThread$SelectionTask.run(SelectorThread.java:86) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at org.apache.qpid.server.transport.SelectorThread.run(SelectorThread.java:460) [qpid-broker-core-6.1.0-SNAPSHOT.jar:6.1.0-SNAPSHOT]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_45]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_45]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_45]

      Attachments

        Activity

          People

            Unassigned Unassigned
            kwall Keith Wall
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: