directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niklas Gustavsson <nik...@protocol7.com>
Subject Re: Adding SSLFilter on the fly
Date Fri, 12 Jan 2007 09:31:53 GMT
Hi

Anyone got any idea as to how I could solve the issue I describe below? 
The MINA integration into FtpServer is not full functional, except for 
the SSL support :-/

Thanks!

/niklas

> Niklas Gustavsson wrote:
>> Hi
>>
>> I'm trying to integrate MINA with Apache FtpServer, basically base 
>> FtpServer's socket handling on MINA. So far it's been a great 
>> experience. However, I just got stuck. It might very likely be an 
>> error on my side but I need some pointers :-)
>>
>> The FTP AUTH command is sent by a client to tell the server that it 
>> wants to secure the FTP control socket with SSL. The flow is like this:
>>
>> 1. Client sends "AUTH TLS"
>> 2. Server sends "234 Command AUTH okay; starting TLS connection."
>> 3. Server secures the socket
>> 4. Next client call is over the secure socket
>>
>> Now, to implement this I add a SSLFilter at step 3. However, I seem to 
>> run into a condition where the response sent at step 2 sometimes end 
>> up in the, not yet initialized, SSLFilter. This results in:
>> java.lang.IllegalStateException
>>     at 
>> org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
>>     at 
>> org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain..java:362)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)

>>
>>     at 
>> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 
>>
>>     at java.lang.Thread.run(Thread.java:595)
>>
>>
>>  From my understanding, the response should already has been sent to 
>> the client but that seems not to be the case. The response (step 2) is 
>> sent as:
>> session.write(response).join();
>>
>> Shouldn't the join() make that call wait until the write is completely 
>> done? If not, how would I otherwise ensure that the response has been 
>> sent before I add the SSL filter?
>>
>> The full trace is attached.
>>
>> Thanks!
>> /niklas
>>
>>
>> ------------------------------------------------------------------------
>>
>> Server ready :: Apache FTP Server
>> ------- Apache FTP Server started ------
>> [/127.0.0.1:2291] CREATED
>> Launching thread for /127.0.0.1:2291
>> [/127.0.0.1:2291] OPENED
>> [/127.0.0.1:2291] WRITE: 220 Service ready for new user.
>>
>> < 220 Service ready for new user.
>>> AUTH TLS
>> AUTH TLS
>>
>> AUTH TLS
>>
>> [/127.0.0.1:2291] RECEIVED: AUTH TLS
>> [/127.0.0.1:2291] WRITE: 234 Command AUTH okay; starting TLS connection.
>>
>> < 220 Service ready for new user.
>> 234 Command AUTH okay; starting TLS connection.
>> [/127.0.0.1:2291]  doHandshake()
>> [/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
>> [/127.0.0.1:2291]  unwrapHandshake()
>> [/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0 
>> lim=0 cap=16665]
>> [/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0 
>> lim=33330 cap=33330]
>> [/127.0.0.1:2291]  Unwrap res:Status = BUFFER_UNDERFLOW 
>> HandshakeStatus = NEED_UNWRAP
>> bytesConsumed = 0 bytesProduced = 0
>> org.apache.ftpserver.listener.mina.MinaConnection@1cb52ae
>> [/127.0.0.1:2291] SENT: 220 Service ready for new user.
>>
>> [/127.0.0.1:2291] SENT: 234 Command AUTH okay; starting TLS connection.
>>
>> [/127.0.0.1:2291] EXCEPTION:
>> java.lang.IllegalStateException
>>     at 
>> org.apache.mina.filter.SSLFilter.getSSLSessionHandler(SSLFilter.java:634)
>>     at 
>> org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:371)
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)

>>
>>     at 
>> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 
>>
>>     at java.lang.Thread.run(Thread.java:595)
>> [/127.0.0.1:2291] CLOSE
>> [/127.0.0.1:2291]  write outNetBuffer: java.nio.DirectByteBuffer[pos=0 
>> lim=7 cap=16665]
>> [/127.0.0.1:2291]  session write: DirectBuffer[pos=0 lim=7 cap=8: 15 
>> 03 01 00 02 01 00]
>> [/127.0.0.1:2291]  Data Read: 
>> org.apache.mina.filter.support.SSLHandler@1addb59 (DirectBuffer[pos=0 
>> lim=7 cap=8192: 15 03 01 00 02 02 0A])
>> [/127.0.0.1:2291]  doHandshake()
>> [/127.0.0.1:2291]   initialHandshakeStatus=NEED_UNWRAP
>> [/127.0.0.1:2291]  unwrapHandshake()
>> [/127.0.0.1:2291]    inNetBuffer: java.nio.DirectByteBuffer[pos=0 
>> lim=7 cap=16665]
>> [/127.0.0.1:2291]    appBuffer: java.nio.DirectByteBuffer[pos=0 
>> lim=33330 cap=33330]
>> [/127.0.0.1:2291] Unexpected exception from SSLEngine.closeInbound().
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's 
>> close_notify: possible truncation attack?
>>     at 
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1259)

>>
>>     at 
>> org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
>>     at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:358)
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:54)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:781)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:599)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:313)

>>
>>     at 
>> org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:271)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:225)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:563)

>>
>>     at 
>> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 
>>
>>     at java.lang.Thread.run(Thread.java:595)
>> [/127.0.0.1:2291] EXCEPTION:
>> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
>>     at 
>> org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:424)
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:617)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)

>>
>>     at 
>> org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:353)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:281)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:241)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor.access$500(SocketIoProcessor.java:44)

>>
>>     at 
>> org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:559)

>>
>>     at 
>> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:43) 
>>
>>     at java.lang.Thread.run(Thread.java:595)
>> Caused by: javax.net.ssl.SSLException: Received fatal alert: 
>> unexpected_message
>>     at 
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482) 
>>
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957) 
>>
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)

>>
>>     at 
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
>>     at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
>>     at 
>> org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:677) 
>>
>>     at 
>> org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:494)
>>     at 
>> org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:293) 
>>
>>     at 
>> org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
>>     ... 12 more
>> [/127.0.0.1:2291] CLOSED
>> Exiting since queue is empty for /127.0.0.1:2291
> 


Mime
View raw message