-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no getApplicationProtocol() method in WolfSSLEngine #82
Comments
Hi @onlynishant, thanks for letting us know about this gap in our SSLEngine implementation! Let me look into this and get back to you. For reproduction locally on our end, would we be able to easily reproduce your undertow server install/configuration? |
hi @cconlon yes it should be fairly simple. let me also paste my sample code here : pom.xml
the command I used to build wolfssl
|
Hi @onlynishant, pull request #84 implements SSLEngine.getApplicationProtocol() and should resolve your issue. I was able to reproduce your Undertow test case locally and have verified these changes fix the issue for me. Thanks for the test code! Can you test out this fix and let me know if you are seeing any other issues? Thanks, |
@cconlon Thanks for the quick fix. I confirm that the reported issue is fixed for
without wolfssl it works fine:
I am expecting that |
Hi @onlynishant, The way wolfJSSE SSLContext creation currently works is that when a user specifies a specific protocol version, that is the only protocol that will be supported by that SSLContext. At the native level, that is equivalent to doing:
Based on the Java Secure Socket Extension JSSE Reference Guide, when creating a SSLContext and specifying a specific protocol version, only that specific version is guaranteed to be supported by that SSLContext. The underlying provider may choose to also support other protocols (which is what appears the SunJSSE provider does):
Our current viewpoint is that locking the SSLContext to the specified protocol provides the users with more assurances that their desired security level will be met, and the connection will not negotiate a lower protocol instead. If a user does want to allow for downgrade in TLS versions, the "TLS" version should be used when creating an SSLContext object. For example:
Are you able to use the more generic "TLS" version when creating your SSLContext, if you are interested in having that session downgrade? If TLS 1.3 is enabled in native wolfSSL, using "TLS" will start at TLS 1.3, then downgrade to TLS 1.2 (etc) as needed. Thanks, |
Hi @cconlon thanks for the clarification. I don't see handshake failure error with I did a few more tests and noticed that while using OpenSSL client, I get some exceptions. You can try it in the same example I shared. I also got the same exception in production so it seems it's not the issue with openssl.
Exception in logs:
|
Hi @onlynishant, thanks! I pushed one more commit to the open pull request that should fix this NullPointerException: |
Hi @cconlon I still see exceptions in the production. After 4-5 mins of use, logs are flooded with exceptions:
There is also a msg during app start
PS: this is not the sample test code I shared. However request/response structure is almost same |
@cconlon any update on it? |
@onlynishant Sorry for the delay on this issue. Are you still seeing this issue with the latest wolfssljni master? We have made some fixes/changes to our SSLEngine code since your last test above. |
@cconlon I am using a diff lib now. I will try to test the latest code when I get some time. |
Hi, I am trying to use wolfssljni with our undertow server with HTTP2 on TLSv1.2 on my MAC (dev env) Java 11.
I am getting the below exception:
While I debugged the code, the ALPN listener of undertow is calling
getApplicationProtocol()
method ofSSLEngine
which in this case isWolfSSLEngine
and it doesn't implement it. I tried to implement the method with return values asnull
but the h2 upgrade is not working properly.I found a similar Implementation here: https://github.com/wildfly-security/wildfly-openssl/blob/master/java/src/main/java/org/wildfly/openssl/OpenSSLEngine.java#L1566 but couldn't port it in
WolfSSLEngine
properly.I would appreciate it if someone here can help me.
Before implementing
getApplicationProtocol()
After
The text was updated successfully, but these errors were encountered: