"Blocking operation" during SSLEngineImpl.unwrap()
Xuelei Fan
xuelei.fan at oracle.com
Fri Aug 7 15:00:20 UTC 2020
Hm, it's an interesting bug. I filed the issue on the Java Bug System.
https://bugs.openjdk.java.net/browse/JDK-8251304
Thanks,
Xuelei
On 8/7/2020 5:00 AM, Norman Maurer wrote:
> Hi there,
>
> In netty we support using BlockHound[1] to detect if people do blocking
> operations within the EventLoop and so notify them that this should not
> be done. While running our integration tests with TLS1.3 we noticed that
> unwrap(…) may trigger an FileInputStream.read(…) which in theory could
> block for a long time. I was assuming that such an operation should only
> be done after SSLEngine.* returns NEED_TASK and so be delegated to
> another ThreadPool via getTask().
>
> Now the question(s):
>
> * Is my assumption incorrect ?
> * If my assumption is correct should we fix this ?
>
> Here is the stack trace when such a blocking call is detected:
>
> reactor.blockhound.BlockingOperationError: Blocking call!
> java.io.FileInputStream#readBytes
> at java.base/java.io.FileInputStream.readBytes(FileInputStream.java)
> at java.base/java.io.FileInputStream.read(FileInputStream.java:273)
> at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133)
> at
> java.base/sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
> at
> java.base/sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:526)
> at
> java.base/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:545)
> at
> java.base/sun.security.provider.NativePRNG$NonBlocking.engineNextBytes(NativePRNG.java:318)
> at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:741)
> at java.base/sun.security.ssl.RandomCookie.<init>(RandomCookie.java:67)
> at java.base/sun.security.ssl.SessionId.<init>(SessionId.java:45)
> at
> java.base/sun.security.ssl.NewSessionTicket$NewSessionTicketKickstartProducer.produce(NewSessionTicket.java:225)
> at
> java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:1100)
> at
> java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:867)
> at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
> at
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
> at
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:418)
> at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
> at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
> at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681)
> at
> java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636)
> at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
> at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
> at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
> at
> io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1380)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1275)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1322)
>
> [1] https://github.com/reactor/BlockHound
More information about the security-dev
mailing list