Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 089D6200C02 for ; Fri, 20 Jan 2017 13:57:45 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 07498160B48; Fri, 20 Jan 2017 12:57:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 577A7160B39 for ; Fri, 20 Jan 2017 13:57:44 +0100 (CET) Received: (qmail 23854 invoked by uid 500); 20 Jan 2017 12:57:43 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 23843 invoked by uid 99); 20 Jan 2017 12:57:43 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jan 2017 12:57:43 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B44B718C36E for ; Fri, 20 Jan 2017 12:57:42 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id NgptrAnhKElf for ; Fri, 20 Jan 2017 12:57:38 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 7FD3D5FAF3 for ; Fri, 20 Jan 2017 12:57:37 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 9F54CE0059 for ; Fri, 20 Jan 2017 12:57:26 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5BE3920D39 for ; Fri, 20 Jan 2017 12:57:26 +0000 (UTC) Date: Fri, 20 Jan 2017 12:57:26 +0000 (UTC) From: "Christian Klauser (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HTTPCORE-442) SSLIOSession + ChunkDecoder: MalformedChunkCodingException with last chunk left in inEncryptedBuffer MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 20 Jan 2017 12:57:45 -0000 Christian Klauser created HTTPCORE-442: ------------------------------------------ Summary: SSLIOSession + ChunkDecoder: MalformedChunkCodingException with last chunk left in inEncryptedBuffer Key: HTTPCORE-442 URL: https://issues.apache.org/jira/browse/HTTPCORE-442 Project: HttpComponents HttpCore Issue Type: Bug Reporter: Christian Klauser Attachments: httpcore-nio-SSLIOSession-eof.path I'm running into a rather esoteric problem when reading the response to an HTTP request using {{httpcore-nio}} (used via CXF). On a high level we get a MalfromedChunkCodingException because the ChunkDecoder doesn't receive the last chunk ( {{"0\r\n\r\n"}} is missing ) We see the following situation: * The plain text content fed into the SOAP/JAXB deserialization machinery cuts off mid-way through * *because* the {{ChunkDecoder}} threw a {{MalformedChunkCodingException}}' * *because* {{this.buffer.readLine}} returned false * *because* (not 100% sure here) {{fillBufferFromChannel}} returned -1 and we are looking for the next chunk size * *because* the last 106 bytes of the encrypted stream (see below) have never been decrypted * *because* the loop inside {{SSLIOSession#decryptData}} gets exited early if the {{SSLIOSession#endOfStream}} flag is set _even if the input stream still contains encrypted data_ {code} state of the SSLIOSession in `this.channel` when the exception occurs: 192.168.13.204:48888<->10.0.29.106:443[ACTIVE][r:r][ACTIVE][r][NOT_HANDSHAKING][EOF][][106][0][0][0] {code} Looking at past issues/commit messages, I understand why we have an early exit here (avoid infinite loops on connections that broke in the middle of a TLS packet). I'm not sure if just exiting is correct here. The documentation for the java [{{SSLEngine#unwrap}}|https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLEngine.html] method says that the engine tries to decrypt "one complete TLS network packet". There is no guarantee that it decrypts all remaining packets in the buffer. In our particular case (106 still encrypted bytes), we have to run the {{unwrap}} method two more times until we have the complete response from the server (including the final chunk "{{0\r\n\r\n}}"). After the first additional call, there are still 53 encrypted bytes left. I have attached a patch that solves this issue for us. The patch monitors whether the decryption loop is making progress and keeps looping even if {{endOfStream}} is set. It aborts after a number of iterations without clear progress. With this patch, we can run our entire integration test suite without error. Without this patch, about 1 in SOAP 200 calls fails. The "progress measurement" logic could perhaps be simplified (only measure plain bytes, not also consumed encrypted bytes), but I'm not sure if that would still be correct. I could also imagine that the actual bug is in the ChunkDecoder, that doesn't give the Channel another chance at filling the buffer, but the SSLIOSession code looks more suspicious to me (signalling EOF with 106 bytes left encrypted). What do you think? -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org