"Blocking operation" during SSLEngineImpl.unwrap()
Norman Maurer
norman.maurer at googlemail.com
Fri Aug 7 12:00:56 UTC 2020
Hi there,
In netty we support using BlockHound[1] to detect if people do blocking operations within the EventLoop and so notify them that this should not be done. While running our integration tests with TLS1.3 we noticed that unwrap(…) may trigger an FileInputStream.read(…) which in theory could block for a long time. I was assuming that such an operation should only be done after SSLEngine.* returns NEED_TASK and so be delegated to another ThreadPool via getTask().
Now the question(s):
* Is my assumption incorrect ?
* If my assumption is correct should we fix this ?
Here is the stack trace when such a blocking call is detected:
reactor.blockhound.BlockingOperationError: Blocking call! java.io.FileInputStream#readBytes
at java.base/java.io.FileInputStream.readBytes(FileInputStream.java)
at java.base/java.io.FileInputStream.read(FileInputStream.java:273)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133)
at java.base/sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
at java.base/sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:526)
at java.base/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:545)
at java.base/sun.security.provider.NativePRNG$NonBlocking.engineNextBytes(NativePRNG.java:318)
at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:741)
at java.base/sun.security.ssl.RandomCookie.<init>(RandomCookie.java:67)
at java.base/sun.security.ssl.SessionId.<init>(SessionId.java:45)
at java.base/sun.security.ssl.NewSessionTicket$NewSessionTicketKickstartProducer.produce(NewSessionTicket.java:225)
at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:1100)
at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:867)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:418)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1380)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1275)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1322)
[1] https://github.com/reactor/BlockHound
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200807/9f03953d/attachment.htm>
More information about the security-dev
mailing list