"Blocking operation" during SSLEngineImpl.unwrap()

Norman Maurer norman.maurer at googlemail.com
Fri Aug 7 15:02:27 UTC 2020


Thanks a lot… So seems like my assumption is correct then :)

Bye
Norman


> On 7. Aug 2020, at 17:00, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> Hm, it's an interesting bug.  I filed the issue on the Java Bug System.
>   https://bugs.openjdk.java.net/browse/JDK-8251304
> 
> Thanks,
> Xuelei
> 
> On 8/7/2020 5:00 AM, Norman Maurer wrote:
>> Hi there,
>> In netty we support using BlockHound[1] to detect if people do blocking operations within the EventLoop and so notify them that this should not be done. While running our integration tests with TLS1.3 we noticed that unwrap(…) may trigger an FileInputStream.read(…) which in theory could block for a long time. I was assuming that such an operation should only be done after SSLEngine.* returns NEED_TASK and so be delegated to another ThreadPool via getTask().
>> Now the question(s):
>> * Is my assumption incorrect ?
>> * If my assumption is correct should we fix this ?
>> Here is the stack trace when such a blocking call is detected:
>> reactor.blockhound.BlockingOperationError: Blocking call! java.io.FileInputStream#readBytes
>> at java.base/java.io.FileInputStream.readBytes(FileInputStream.java)
>> at java.base/java.io.FileInputStream.read(FileInputStream.java:273)
>> at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133)
>> at java.base/sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
>> at java.base/sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:526)
>> at java.base/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:545)
>> at java.base/sun.security.provider.NativePRNG$NonBlocking.engineNextBytes(NativePRNG.java:318)
>> at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:741)
>> at java.base/sun.security.ssl.RandomCookie.<init>(RandomCookie.java:67)
>> at java.base/sun.security.ssl.SessionId.<init>(SessionId.java:45)
>> at java.base/sun.security.ssl.NewSessionTicket$NewSessionTicketKickstartProducer.produce(NewSessionTicket.java:225)
>> at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:1100)
>> at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:867)
>> at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>> at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
>> at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:418)
>> at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
>> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
>> at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
>> at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
>> at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
>> at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
>> at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
>> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
>> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1380)
>> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1275)
>> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1322)
>> [1] https://github.com/reactor/BlockHound



More information about the security-dev mailing list