S2S between two Tigase instances doesn't work in non-hardened mode (#1060)

Won't Fix

Activities

wojciech.kapcia@tigase.net opened 5 years ago

While working on #systems-67 - trying to establish connection between the two results in

accepting node:

javax.net.ssl.SSLHandshakeException: Tag mismatch!
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:129)
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:668)
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:623)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:441)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:420)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
        at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:236)
        at tigase.io.TLSIO.decodeData(TLSIO.java:344)
        at tigase.io.TLSIO.read(TLSIO.java:170)
        at tigase.net.IOService.readData(IOService.java:727)
        at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:456)
        at tigase.net.IOService.call(IOService.java:182)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:144)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:49)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.crypto.AEADBadTagException: Tag mismatch!
        at java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:623)
        at java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
        at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
        at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941)
        at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
        at java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779)
        at java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
        at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497)
        at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1887)
        at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240)
        at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
        at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:668)
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:623)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:441)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:420)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
        at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:236)
        at tigase.io.TLSIO.decodeData(TLSIO.java:344)
        at tigase.io.TLSIO.read(TLSIO.java:170)
        at tigase.net.IOService.readData(IOService.java:727)
        at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:456)
        at tigase.net.IOService.call(IOService.java:182)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:144)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:49)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

connecting node:

java.io.IOException: Connection reset by peer
        at java.base/sun.nio.ch.FileDispatcherImpl.read0(Native Method)
        at java.base/sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
        at java.base/sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:276)
        at java.base/sun.nio.ch.IOUtil.read(IOUtil.java:233)
        at java.base/sun.nio.ch.IOUtil.read(IOUtil.java:223)
        at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:358)
        at tigase.io.SocketIO.read(SocketIO.java:177)
        at tigase.io.TLSIO.read(TLSIO.java:163)
        at tigase.net.IOService.readData(IOService.java:729)
        at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:456)
        at tigase.net.IOService.call(IOService.java:184)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:144)
        at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:49)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

wojciech.kapcia@tigase.net commented 4 years ago

Checked it with current HardenedMode settings (relaxed/secure/strict) and it worked. Issue most likely was caused by #issue #1101 (hardened mode was not enabling tls1.3 and disabling hardened mode was actually enabling tls1.3).

Type	Bug
Priority	Normal
Assignee	Bartosz Małkowski
Version	tigase-server-8.1.0, tigase-server-8.0.1
Spent time	1h 45m

#1101 Closed

Enabling TLS1.3 causes s2s connections to fail
tigase-private/systems-maintenance/servers#378 You are not authorized to access this issue
tigase-private/systems-maintenance#54 You are not authorized to access this issue
tigase-private/systems-maintenance#67 You are not authorized to access this issue

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/server-core#1060