Wojciech Kapcia (Tigase) opened 4 years ago
-
It turns his library was sending entire CAs collection which resulted in the following exception:
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.451 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 handshake, length = 122 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.453 CEST|ServerHello.java:888|Consuming ServerHello handshake message ( "ServerHello": { "server version" : "TLSv1.2", "random" : "2E AC C0 92 D8 4F 3C FB 36 9B 43 36 E6 5E 89 22 02 6A CF 04 A0 52 89 48 51 68 F1 23 28 CE 58 02", "session id" : "90 C0 48 CF C2 B7 38 26 6F 9D 22 1E 33 03 1E FD 2F 7C 35 B2 83 A8 6D B3 63 05 92 1B E7 52 0A C7", "cipher suite" : "TLS_CHACHA20_POLY1305_SHA256(0x1303)", "compression methods" : "00", "extensions" : [ "key_share (51)": { "server_share": { "named group": x25519 "key_exchange": { 0000: B6 5F F4 04 1C 1D 2B 6D C6 CD 5E 1D 9E FE 5C 2F ._....+m..^...\/ 0010: 1F 0B 48 3C BA 27 C7 B2 F6 4C 06 C5 8F AE 52 49 ..H<.'...L....RI } }, }, "supported_versions (43)": { "selected version": [TLSv1.3] } ] } ) javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.453 CEST|SSLExtensions.java:192|Consumed extension: supported_versions javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.454 CEST|ServerHello.java:984|Negotiated protocol version: TLSv1.3 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: server_name javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: max_fragment_length javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: status_request javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: ec_point_formats javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: status_request_v2 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: extended_master_secret javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.456 CEST|SSLExtensions.java:163|Ignore unsupported extension: session_ticket javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.456 CEST|SSLExtensions.java:192|Consumed extension: supported_versions javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.458 CEST|SSLExtensions.java:192|Consumed extension: key_share javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.458 CEST|SSLExtensions.java:163|Ignore unsupported extension: renegotiation_info javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.458 CEST|PreSharedKeyExtension.java:925|Handling pre_shared_key absence. javax.net.ssl|ALL|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLSessionImpl.java:220|Session initialized: Session(1632244063459|TLS_CHACHA20_POLY1305_SHA256) javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: session_ticket javax.net.ssl|WARNING|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions javax.net.ssl|WARNING|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: key_share javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: renegotiation_info javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.472 CEST|SSLCipher.java:2563|algorithm = CHACHA20-POLY1305:KEYUPDATE countdown value = 0 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.473 CEST|SSLEngineOutputRecord.java:510|WRITE: TLSv1.3 change_cipher_spec, length = 1 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.473 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 change_cipher_spec, length = 1 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.474 CEST|ChangeCipherSpec.java:246|Consuming ChangeCipherSpec message javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.474 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 application_data, length = 27 javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.476 CEST|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message ( "EncryptedExtensions": [ "server_name (0)": { <empty extension_data field> } ] ) javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:192|Consumed extension: server_name javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_groups javax.net.ssl|WARNING|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: server_name javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_groups javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|E2|pool-5-thread-5|2021-09-21 19:07:43.494 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 application_data, length = 16401 javax.net.ssl|ERROR|E2|pool-5-thread-5|2021-09-21 19:07:43.507 CEST|TransportContext.java:361|Fatal (UNEXPECTED_MESSAGE): The size of the handshake message (42207) exceeds the maximum allowed size (32768) ( "throwable" : { javax.net.ssl.SSLProtocolException: The size of the handshake message (42207) exceeds the maximum allowed size (32768) at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:301) at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:279) at tigase.io.TLSIO.decodeData(TLSIO.java:349) at tigase.io.TLSIO.read(TLSIO.java:176) at tigase.net.IOService.readData(IOService.java:741) at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:476) at tigase.net.IOService.call(IOService.java:205) at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:152) at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:53) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) at java.base/java.lang.Thread.run(Thread.java:831)} )Which is caused by the JDK defaults: https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9 specifies:
| System Property | Customized Item | Default | Notes | | - | - | - | - | |
jdk.tls.maxHandshakeMessageSize*| Certificate chain handling | 32768 (32 kilobytes) | Specifies the maximum allowed size, in bytes, for the handshake message in TLS/DTLS handshaking.
I configured the property with 64k limit, which fixed the issue (and should be enough)
| Type |
Bug
|
| Priority |
Normal
|
| Assignee | |
| Version |
tigase-server-8.2.0
|
| Spent time |
0
|
Issue Votes (0)
Watchers (0)
Jonas reported problems when connecting from search.jabber.network.